The following is a list of example evidence for controls not monitored in Drata for NIST CSF 2.0.
Note: The examples below are illustrative only. An auditor may request additional or alternative forms of evidence based on your scope, risk posture, and implementation details.
This article covers NIST CSF 2.0 controls mapped in Drata that are not automatically monitored today, some evidence may be document-based while other evidence may be provided through screenshots, exports, or auditor observation depending on the control.
DCF Code | DCF Name | Example Evidence |
DCF-5 | Change Review Process | Upload evidence showing code changes are peer-reviewed and approved by an individual different from the developer prior to deployment to production.
Example: branch protection or repository ruleset settings showing pull request or merge request requirements, required reviewer approvals, restrictions on direct merges to protected branches, and other controls enforcing segregation of duties for production code changes.
|
DCF-6 | Production Changes Restricted | Upload evidence showing users with access to deploy changes to production.
Example: Users with administrator access to a production server, users that can trigger deployments in CI/CD tools, code owners in the production repositories, etc. Auditors will generally request evidence of the final "gatekeepers" for production deployments.
|
DCF-7 | Separate Environments | Upload evidence showing separate environments exist for development, testing, staging, and production, as applicable.
Example: Screenshots of web environments showing different URLs; screenshots showing separate infrastructure such as different servers, databases, or networks for production and lower environments, etc. |
DCF-8 | External Communication Channels | Upload evidence of external communication channels available to customers and third parties to report complaints, failures, bugs, incidents, vulnerabilities, or requests for information. Example: screenshots of a customer support portal, help desk page, external ticketing system, responsible disclosure page, or embedded support feature in the product.
Example: Screenshots of customer support portal, help desk page, embedded communication features in web application, etc. |
DCF-9 | Internal Communication Channels | Upload examples of internal communication channels for employees to report failures, events, incidents, concerns, and other issues.
Example: Screenshot of internal channels dedicated to security event reporting in messaging apps (Slack, MS Teams, etc.), whistleblower channels, etc. |
DCF-11 | Periodic Access Reviews | Upload documentation of the most recent access review showing review of user accounts and assigned privileges, including third-party or vendor accounts and physical access where applicable.
Example: screenshots or exports of user lists and permissions reviewed, evidence of reviewer approval, documentation of any changes identified, and evidence those changes were implemented.
|
DCF-12 | Baseline Configuration and Hardening Standards | Upload evidence of your documented baseline security configuration and hardening standards for all system components, aligned to industry-accepted hardening standards or vendor recommendations, and evidence that these standards are implemented.
Example: baseline configuration standards, hardening checklists, CIS Benchmarks, vendor configuration guidance, infrastructure-as-code configurations, and evidence the standards are reviewed periodically and updated as needed.
|
DCF-14 | Organizational Chart | Upload your current organizational chart.
Example: screenshot or export from your HRMS, people directory, or internal org chart showing personnel, job titles, departments, and reporting lines. |
DCF-16 | Periodic Risk Assessment | Upload documentation of the most recent risk assessment performed in accordance with company policy and compliance requirements. Example: risk assessment report or risk register showing identified risks, associated threats and vulnerabilities, likelihood and impact ratings, assigned risk owners, and documented results |
DCF-17 | Risk Treatment Plan | Upload the documented risk treatment plan for risks identified through risk assessment activities.
Example: risk treatment plan or risk register showing the selected treatment option for each risk, planned remediation actions, assigned owners, target dates, and status tracking. |
DCF-19 | Penetration Tests | Upload evidence of the most recent external penetration test of production environments performed by an independent third party.
Example: the penetration test report showing scope and results, evidence of management review, and documentation showing vulnerabilities are tracked to resolution in accordance with company policy.
|
DCF-20 | Asset Inventory | Upload evidence of your centralized asset inventory for physical, cloud, and other in-scope assets.
Example: an asset register or CMDB showing asset owner, description, location, classification, and other relevant attributes by asset type, along with evidence that the inventory is kept current through manual review or automated discovery/update processes. |
DCF-22 | Network Diagram | Upload your current network diagram documenting system boundaries and connections to external networks. Include evidence that the diagram was reviewed and approved by management within the past year and updated as needed when changes occurred.
Example: the current network diagram plus approval records, review signoff, change tickets, or emails confirming the diagram’s accuracy and completeness.
|
DCF-26 | Business Continuity Plan/Disaster Recovery Test | Upload evidence of the most recent business continuity and/or disaster recovery test performed within the past year.
Example: the test plan or exercise documentation, participants, activities performed, results, lessons learned, and evidence that the business continuity and/or disaster recovery plans were updated as necessary based on the outcome of the test.
|
DCF-28, | Security Events Tracked and Evaluated | Upload evidence for a recent security event or incident showing it was evaluated, categorized, documented, tracked, and resolved in accordance with company policies and procedures.
Example: an incident ticket or case record showing incident priority, categorization, escalation, status tracking, containment and remediation steps, communications, and closure.
|
DCF-30 | Incident Response Lessons Learned Documented | Upload the post-mortem review for a recent incident.
Example: a completed incident review showing incident metadata, root-cause analysis, supporting evidence, summary of containment, eradication, and recovery actions, timelines, incident metrics, internal and external communications as applicable, impact and scope, and lessons learned.
|
DCF-29 | Incident Response Team | Upload documentation identifying the incident response team roles and responsibilities.
Example: incident response plan, team charter, or responsibility matrix showing who is responsible for invoking the incident management process, serving as incident lead, handling incidents, coordinating communications, providing technical guidance, and providing legal or compliance support, as applicable.
|
DCF-38 | Performance Evaluations | Upload evidence of a completed performance evaluation for eligible personnel performed within the past year in accordance with company policies and procedures.
Example: a completed performance review showing evaluation against established goals and objectives, reviewer signoff or approval, and supporting documentation for the evaluation process. Consider redacting sensitive information such as employee names, compensation details, or other confidential personnel information.
|
DCF-42 | DefinedRoles and Responsibilities | Upload documentation showing defined roles and responsibilities for implementation and oversight of the organization’s risk management and compliance programs.
Example: roles and responsibilities section of a governance, security, privacy, or compliance policy; RACI matrix; program charter; committee charter; or other document identifying responsible roles and oversight responsibilities.
|
DCF-46 | Formal Screening Process | Upload evidence of the formal screening process for a recently hired employee or contractor.
Example: applicant tracking system record, interview schedule and interviewer feedback, resume review, verification of academic or professional qualifications, identity verification, reference checks, technical assessment results, and documented hiring evaluation or approval.
|
DCF-47 | Job Descriptions | Upload documented job descriptions for applicable company positions. Example: job descriptions showing the role title, core responsibilities, reporting structure, and the required qualifications, skills, and experience for the role.
|
DCF-56 | Vendor Register and Agreements | Upload evidence of a centralized, up-to-date vendor or third-party register that includes vendor name, relationship owner, description of services, assigned risk rating, and results of vendor or third-party risk management activities. Also provide, upon request for a selected sample, an executed agreement with a vendor or service provider involved in accessing, processing, storing, or managing information assets that outlines the responsibilities of the vendor or service provider. . |
DCF-57 | Vendor Compliance Monitoring | Upload evidence showing that compliance reports or other security/compliance evidence for critical vendors and service providers are obtained and reviewed at least annually.
Example: SOC 2 Type II reports, ISO 27001 certificates, PCI DSS attestations, completed security questionnaires, or equivalent assessment documentation, along with documented review notes, identified gaps, and any resulting action items or follow-up activities.
|
DCF-59 | Privileged Access Restricted | Upload screenshots or exports of user lists showing users with administrative or privileged access for relevant systems.
Example: privileged user listings for cloud infrastructure, code repositories, identity provider, password vault systems, VPN systems, databases, and other in-scope systems, including the roles or permissions assigned. |
DCF-62 | Session Termination | Upload evidence showing the system automatically terminates user sessions based on predefined conditions.
Example: screenshots or screen recordings showing a user is logged out after a defined period of inactivity and logged out when the browser or application session is closed, with reauthentication required to regain access. |
DCF-64 | Commitments Communicated to Customers | Upload evidence showing service commitments and system requirements are communicated to customers and other external parties, as appropriate.
Example: customer contracts, order forms, service descriptions, trust center or website content, implementation guides, or other customer-facing documentation, along with evidence that relevant parties are notified when service commitments or system requirements change. |
DCF-67 | Multi-Factor Authentication | Upload screenshots of the multi-factor authentication configurations for relevant systems where MFA is not integrated with Drata. If MFA is enforced on a per-user basis instead of as a global setting, upload evidence showing all users have MFA enabled.
Example: screenshots or exports from the relevant systems showing MFA settings, enforcement configuration, or user-level MFA status.
|
DCF-68 | Password Policy and Configuration | Upload your documented password policy and evidence of password requirements enforced for relevant systems in accordance with company policy.
Example: password policy defining minimum length, complexity, and related requirements, along with screenshots or exports from relevant systems showing those password settings are configured and enforced.
|
DCF-69 | Access Provisioning | Upload evidence of a recent access request showing access to information resources was documented and approved by management before provisioning.
Example: access request form, IAM workflow, or help desk ticket for a new hire, role change, or access modification showing the requested systems or data, requested access level, business justification, approver, approval date, and completed provisioning record. Include physical access requests as applicable. |
DCF-70 | Access Deprovisioning
| Upload evidence for a recently terminated employee, contractor, vendor, or other personnel showing system and physical access were revoked within one business day of the effective termination date.
Example: offboarding checklist, IAM or help desk ticket, account disabled logs, badge or physical access revocation records, and evidence of completion dates for each deprovisioning step. |
DCF-76 | Critical Change Management | Upload evidence for a recent emergency change or hot fix implemented outside the standard change management process.
Example: emergency change ticket or incident-linked change record showing the reason for the emergency change, implementation details, date of implementation, post-implementation review, and approval by an authorized individual after implementation.
|
DCF-77 | Data Backups | Upload evidence showing backups of production data are performed at least daily and retained in accordance with company policies and procedures.
Example: screenshots or exports from backup systems showing backup schedules, successful backup job history, and configured retention periods for production data. |
DCF-79 | Logging System | Upload evidence of your centralized logging system that collects and stores system activity logs and sends alerts to personnel based on pre-configured rules.
Example: screenshots or exports showing log sources feeding into the SIEM or log management platform, sample alert rules and resulting notifications, and access control settings showing access to logs is restricted to authorized personnel. |
DCF-85 | Network Security Controls | Upload evidence of network security controls for in-scope environments.
Example: screenshots or exports of firewall rules, security groups, network ACLs, or equivalent configurations showing inbound and outbound traffic is limited to only what is necessary based on business justification and all other traffic is explicitly denied.
|
DCF-86 | System Monitoring | Upload evidence showing production systems and resources are monitored and automated alerts are sent to personnel based on pre-configured rules.
Example: screenshots from monitoring or observability tools showing system availability or health monitoring, alert rules or notification configurations, sample alerts, and documentation or tickets showing events are triaged and escalated in accordance with company policy when necessary.
|
DCF-88 | Web Application Firewall (WAF) | Upload evidence that a web application firewall is in place to protect public-facing web applications from outside threats.
Example: screenshots or exports showing the WAF is enabled for public-facing applications, the applications or domains protected by the WAF, active rule sets or protection policies, and alerting or event logs showing the WAF is operating.
|
DCF-91 | Intrusion Detection/Prevention System | Upload evidence that an intrusion detection system (IDS), intrusion prevention system (IPS), or equivalent is in place to detect real-time suspicious or anomalous network traffic and alert personnel when a potential intrusion is detected.
Example: screenshots or exports from the IDS/IPS or equivalent tool showing the service is enabled, the detection rules or threat types monitored, and alerting or notification settings identifying how personnel are notified of potential intrusions.
|
DCF-92 | Encrypted Remote Production Access | Upload evidence showing remote access to production systems is only available through an encrypted connection.
Example: screenshots or exports showing the approved remote access method in use, such as VPN, SSH, bastion host, or another encrypted administrative access path, along with evidence that direct unencrypted remote access to production is not allowed.
|
DCF-95 | Monitoring Processing Capacity and Usage | Upload evidence showing processing capacity and resource usage are monitored continuously to manage demand and enable additional resources to be implemented as necessary.
Example: dashboards or reports showing CPU, memory, storage, network, or other utilization metrics for critical systems, configured utilization thresholds or alerts, and evidence of capacity reviews, scaling actions, or planned resource increases when thresholds are approached. |
DCF-97 | Autoscaling | Upload evidence showing autoscaling is enabled for relevant cloud resources and configured to provision additional resources when predefined capacity thresholds are met.
Example: screenshots or exports of autoscaling group settings, scaling policies, threshold-based triggers, minimum/maximum capacity settings, and recent scaling activity or event history. |
DCF-98 | Backup Storage | Upload evidence showing backups are encrypted and segmented from production systems to protect them from disaster or incident scenarios.
Example: screenshots or exports showing backup encryption settings, backup storage architecture, replication to a different region or offsite location, air-gapped or logically segregated backup storage, and access controls restricting backup storage access. |
DCF-99 | Backup Monitoring | Upload evidence showing automated notifications are sent to personnel when backup processes fail and that backup failures are investigated and resolved in accordance with company policies and procedures.
Example: backup service alert configuration, sample failed backup notification, and ticket or incident record showing investigation, remediation, and resolution by engineering personnel.
|
DCF-100 | Backup Restore Testing | Upload evidence of your most recent test restore of backed-up data completed within the past year.
Example: Documentation of the backup restoration process showing steps taken and associated evidence, results, date completed, etc. The evidence should include the steps taken to restore the data from a backup and validation of the completeness and accuracy of the restored data. |
DCF-104 | Test Data | Upload evidence showing test data is used in testing, development, staging, or other non-production environments to prevent sensitive information from being copied into lower environments.
Example: screenshots from non-production databases showing mock or synthetic data, documented anonymization or masking procedures, data generation scripts, or environment configuration standards prohibiting the use of live production data in lower environments.
|
DCF-105 | Personnel Non-Disclosure Agreements (NDA) | Upload an example executed confidentiality agreement for a recently hired employee or contractor.
Example: signed NDA, PIIA, employment agreement, contractor agreement, or other executed agreement that outlines confidentiality requirements and was completed prior to hire.
|
DCF-107 | Disposal of Sensitive Data on Paper | Observation of hard copy material being disposed of through secure means such as cross-cut shredding, incinerating, or pulping so the data cannot be reconstructed.
Note: This can be performed by auditors on-site, or via live virtual meeting. |
DCF-108 | Secure Storage Mechanisms | Upload evidence of secure storage mechanisms used for digital media, hardcopy materials containing sensitive data, and critical equipment or other assets.
Example: photos or screenshots showing locked cabinets, file rooms, storage closets, key cabinets, secure cages, or similar storage mechanisms, along with evidence that access to those storage locations, physical keys, or authentication information is restricted to authorized personnel. |
DCF-109 | Disposal of Sensitive Data on Hardware | Upload evidence for one instance of hardware disposal or reuse showing sensitive data on the device was securely destroyed or wiped in accordance with documented policies and procedures.
Example: certificate of destruction, media sanitization record, device disposal log, or screenshots showing secure wipe completion before reuse or disposal.
|
DCF-123 | Procedures for Information Disposal | Upload documented policies and procedures for erasure or destruction of information that has been identified for disposal.
Example: data disposal or media sanitization procedure, retention and disposal standard, records management procedure, or secure destruction procedure showing how information is identified for disposal and then erased or destroyed using approved methods. |
DCF-132 | Privacy and Security Requirements in Third-Party Agreements | Upload an executed agreement with a vendor or third party involved in accessing, processing, storing, transferring, or managing information that includes security, confidentiality, and privacy requirements.
Example: master service agreement, data processing agreement, business associate agreement, security addendum, or similar contract showing obligations for protecting information during transfer and processing.
|
DCF-135 | Notification of Incidents or Breaches | Upload evidence showing the organization communicates breaches and incidents to affected parties, organizational officials, authorities, and other internal and external stakeholders in accordance with company policies and procedures and applicable legal and contractual obligations.
Example: documented breach notification procedure, notification decision tree, breach notification template, incident communications log, sample notification to affected parties or authorities, or internal escalation records showing how notification requirements are evaluated and executed.
|
DCF-140 | Point of Contact for Privacy Inquiries | Upload evidence showing the organization provides a contact mechanism for data subjects to submit privacy-related requests or report privacy incidents.
Example: privacy email address, web form, customer portal, help center intake flow, or other documented channel made available to data subjects. |
DCF-146 | Board Meetings | Upload the agenda and meeting minutes for the most recent board, owner, senior leadership, or equivalent governance meeting showing review of company performance, strategic objectives, compliance initiatives, and security and privacy risk and mitigation strategies. Include documented attendees, decisions made, and action items. |
DCF-149 | Removable Media Device Encryption | Upload evidence showing removable media devices that contain sensitive data are encrypted.
Example: screenshots or exports from device encryption tools, endpoint management settings, or removable media control configurations showing encryption is enforced for USB drives, external hard drives, optical media, or other removable storage used to store or transport sensitive data.
|
DCF-150 | Data Loss Prevention (DLP) Mechanisms | Upload evidence showing data loss prevention mechanisms are implemented on systems that process, store, or transmit sensitive information.
Example: screenshots or exports of DLP rules in email, endpoint, cloud storage, collaboration, or other relevant systems showing the controls are configured to prevent data leakage and generate audit logs and alerts. |
DCF-154 | Incident Response Test | Upload evidence of the most recent incident response test performed within the past year.
Example: tabletop exercise, walkthrough, simulation, or other documented test of the incident response plan and procedures showing scenario details, participants, activities performed, results, lessons learned, and evidence that the incident response plan and procedures were updated as needed based on the outcome of the test.
|
DCF-155 | Testing of Changes | Upload evidence for a recent change showing it was tested in a non-production environment before deployment to production.
Example: a change ticket or work item with documented test criteria or acceptance criteria, screenshots or exports of test results, CI/CD or QA test run results, evidence of any defects identified and resolved, and approval to promote the change after testing was completed. |
DCF-157 | Cybersecurity Insurance | Upload your current certificate of insurance or policy documentation showing cybersecurity insurance and/or errors and omissions coverage in effect.
Example: certificate of insurance or declarations page showing the insurer, policy number, coverage type, coverage amounts, and policy effective and expiration dates.
|
DCF-160 | Continuous Control Monitoring | Upload evidence showing the organization uses compliance automation software to identify, select, and continuously monitor internal controls.
Example: screenshots or exports from Drata or equivalent compliance automation tooling showing the control inventory, mapped control tests, monitoring status, test results, control owners, and open failures or remediation workflows.
|
DCF-163 | Legal Requirements | Upload documentation showing the organization has identified and documented the legal, statutory, regulatory, and contractual requirements relevant to the company, assigned responsibility for those requirements, and established processes to satisfy them and monitor and review changes. Example: legal and regulatory requirements register, contractual obligations register, compliance matrix, assigned owners, and evidence of periodic review or update tracking.
|
DCF-165 | Periodic Independent Assessments | Upload evidence of a recent periodic independent assessment of internal controls.
Example: internal audit plan or assessment program showing scope, timing, and assigned assessor, along with the completed internal audit or assessment report, documented findings, management responses, corrective actions, and evidence the assessment results were retained.
|
DCF-166 | Business Continuity Plan | Upload your documented business continuity plan.
Example: a business continuity plan that defines continuity strategies, recovery approaches, roles and responsibilities, activation criteria, communication procedures, and steps for maintaining critical operations during a disruption.
|
DCF-167 | Business Impact Analysis | Upload your documented business impact analysis (BIA).
Example: a BIA showing critical business processes and assets, criticality ratings, business recovery order, minimum service levels, recovery assumptions or dependencies, and evidence the results are incorporated into business continuity and disaster recovery plans.
|
DCF-168 | Vendor Management Policy | Upload your documented vendor management policy.
Example: a policy that defines requirements for vendor and third-party onboarding, due diligence, risk classification, contract and security/privacy review, ongoing monitoring, periodic reassessment, service changes, and offboarding or termination activities across the full vendor lifecycle. |
DCF-173 | Employment Terms & Conditions | For one example personnel file, upload an executed employment agreement, offer letter, contractor agreement, or equivalent document showing the individual acknowledged terms and conditions of employment that include information security responsibilities.
Example: confidentiality obligations, legal or regulatory obligations, acceptable handling of company or customer data, protection of intellectual property, return of assets, and responsibilities that continue after employment ends. |
DCF-175 | Communications Plan | Upload your documented communications plan or procedure showing how relevant information is communicated internally and externally for the organization’s information security, privacy, or other programs.
Example: documented communication plan, ISMS communication procedure, incident communication matrix, stakeholder communication matrix, or policy section defining what is communicated, to whom, by whom, when, and through which communication channels. |
DCF-180 | Secure Information Transfer | Upload your documented policy or procedure for secure information transfer.
Example: data protection policy, secure transfer standard, encryption standard, file transfer procedure, or vendor/customer data exchange procedure showing how information is securely transferred internally and externally, including approved transfer methods, encryption requirements, access restrictions, and handling requirements for sensitive data. |
DCF-182 | Asset Management Policy | Upload your documented asset management policy.
Example: a policy that defines requirements for identifying, tracking, assigning ownership, classifying, maintaining, transferring, returning, and disposing of company assets, along with requirements for keeping the asset inventory accurate and up to date. |
DCF-183 | Vulnerability Management | Upload your documented vulnerability management policy.
Example: a policy that defines how vulnerabilities are identified from sources such as scans, vendor advisories, and security bulletins; how they are cataloged and risk-rated; how remediation is prioritized and tracked; and the roles, responsibilities, and timelines for review and resolution. |
DCF-185 | Threat Intelligence | Upload evidence showing the organization has defined threat intelligence objectives and implemented mechanisms to collect threat information and produce threat intelligence.
Example: documented threat intelligence plan or procedure, subscribed commercial or open-source threat feeds, vendor or security product intelligence feeds, mailing list or advisory subscriptions, internal threat summaries or reports, and evidence that collected threat information is reviewed and assessed in accordance with the defined threat intelligence objectives.
|
DCF-188 | Communication with Advisories and Special Interest Groups | Upload evidence showing the organization exchanges information with relevant security and privacy organizations, professional associations, and other specialist forums.
Example: screenshots or exports showing subscriptions to advisories or bulletin services, email alerts from sources such as CISA or CERT, participation in ISACs or professional associations, conference participation, shared threat or vulnerability updates, or internal distribution of relevant external advisories to appropriate personnel.
|
DCF-190 | Designated Security Officials | Upload evidence showing responsibility for information security has been formally assigned to a Chief Information Security Officer or another security-knowledgeable member of management.
Example: organizational chart, board or executive approval record, management appointment record, policy or governance document assigning security responsibility, or job description showing the designated individual is responsible for overseeing the organization’s information security program.
|
DCF-201 | Network Security Controls Configuration Standards | Upload your documented network security control configuration standards.
Example: firewall, router, ACL, or cloud virtual network configuration standards showing approved rule set requirements, allowed services, protocols, and ports, required business justification for each approved connection, and evidence the standards are implemented in the environment.
|
DCF-204 | Dataflow Diagram | Upload your current dataflow diagram showing data flows across systems and networks. Include evidence that the diagram was reviewed and approved by management at least annually and updated as necessary when changes occurred.
Example: the current dataflow diagram plus approval records, review signoff, change tickets, or emails confirming the diagram’s accuracy and completeness.
|
DCF-240 | Only Necessary System Functions and Services Used | Upload evidence showing only necessary services, software programs, protocols, daemons, and functions are enabled on in-scope system components in accordance with documented configuration standards.
Example: screenshots or exports from system configuration settings, endpoint or server management tools, infrastructure-as-code baselines, or hardening checklists showing enabled services, disabled unnecessary functionality, and alignment to the approved baseline configuration. |
DCF-253 | Data Secure Disposal | Upload evidence showing data is securely disposed of upon expiration of retention periods, upon customer request, or when no longer needed for legal, regulatory, or business purposes.
Example: data deletion ticket, retention schedule execution record, customer deletion request fulfillment record, or screenshots/logs showing data was securely deleted from the relevant system. |
DCF-294 | Anti-Malware Tools Behavior | Upload evidence from your anti-malware solution showing it is configured to perform periodic scans and active or real-time scans, or to perform continuous behavioral analysis of systems or processes.
Example: screenshots or exports from the anti-malware console showing scheduled scan settings, active or real-time protection settings, behavioral analysis settings if used, and the systems or policies to which those protections are applied.
|
DCF-305 | Production Components Change Control Procedures | Upload documentation for a recent production change showing the change was implemented in accordance with established change management procedures.
Example: change ticket or change record showing the change description, business justification, evaluation of security requirements and impact, approval by authorized parties, rollback procedures, and records of testing, including acceptance testing and security impact testing.
|
DCF-312 | Secure Code Development Training | Upload evidence of secure code development training completed by a developer within the past year.
Example: training content, videos, presentations, or agenda showing coverage of secure software design, secure coding techniques relevant to the developer’s job function and development languages, and tools used to detect vulnerabilities in software, along with completion records for the developer. |
DCF-326 | Need-to-Know Principle | Upload evidence showing access to system components and data is restricted to individuals whose job requires such access.
Example: role-based access matrix, documented role definitions, permission assignments by role, and sample user access listings showing access is aligned to job responsibilities. |
DCF-330 | Access Control Model | Upload evidence showing the organization has defined and implemented an access control model for all system components. Example: documented access control standard or architecture describing the model used, such as role-based access control (RBAC), attribute-based access control (ABAC), or policy-based access control (PBAC), along with screenshots or exports from relevant systems showing the model is configured and enforced for user access based on job classification and function.
|
DCF-363 | Entry Controls in Place | Upload evidence showing entry controls are in place to restrict physical access to corporate facilities, including systems or areas that may process or store sensitive data, to authorized personnel, and that access is logged and monitored.
Example: photos or screenshots of badge readers, biometric readers, monitored reception or front desk controls, door access system settings, and sample access logs showing entries are recorded and monitored.
|
DCF-365 | Secure Physical Access Control Mechanisms | Upload evidence showing physical surveillance mechanisms are in place to deter and detect unauthorized physical access and are protected from tampering or disabling.
Example: photos or screenshots of video monitoring systems, sensors, or detectors covering relevant facility areas, along with evidence of tamper protection such as secured mounting, locked enclosures, restricted administrative access, power/network protection, or alerts for device disruption or offline status. |
DCF-366 | Physical Access Control Mechanism Periodic Data Review | Upload evidence showing data collected from video cameras and/or access control mechanisms is reviewed periodically and correlated with other entries, such as badge access logs, visitor logs, or alarm events.
Example: documented review procedure, completed periodic review records, screenshots or exports of access control or surveillance logs, investigation notes tying camera footage to badge or visitor log data, and records of ad hoc review performed in response to suspicious physical security activity. |
DCF-374 | Visitors Authorized and Escorted | Observation of a visitor being authorized before entry and escorted at all times within company facilities, including areas where sensitive data may be processed or stored.
Note: This observation can be performed by the auditor on-site or via live virtual meeting. |
DCF-375 | Personnel and Visitor Badges | Observation that onsite personnel wear a badge or other form of identification within company facilities and that visitors are issued a visitor badge or other form of identification that visibly distinguishes them from onsite personnel.
Example: observation of a visitor receiving a visitor badge and an example of the badge used. Note: This observation can be performed by the auditor on-site or via live virtual meeting.
|
DCF-378 | Visitor Log | Upload evidence to show that a visitor log is maintained to keep an audit trail of visitor activity to the company facilities, computer rooms or data centers where sensitive data may be stored or transmitted (e.g., scan or photograph of the visitor log for an example day, etc.). |
DCF-406 | Audit Logging | Upload evidence showing audit logging is enabled and active for all relevant system components and sensitive data in accordance with company policies.
Example: screenshots or exports from relevant systems, cloud platforms, databases, applications, or logging tools showing audit logging is enabled, the scope of systems or data covered, and the logging settings currently in effect. |
DCF-407 | Audit Logs Data Points | Upload evidence showing that audit logs have been configured to contain user or identity, type of event, date and time, success and failure indication, origination of event, affected data, and system component, resource, or service.
Example: Screenshot or export of a sample log showing the relevant attributes. |
DCF-411 | Audit Trail for Invalid Access Attempts | Upload evidence showing that audit trails or logs are implemented for system components to capture invalid access attempts.
Example: Screenshot or export of a sample log showing the relevant log contents. Multiple invalid login attempts may be an indication of an unauthorized user's attempts to "brute force" or guess a password. |
DCF-412 | Audit Trail for Identification and Authentication Mechanism Changes | Upload evidence showing that audit trails or logs are implemented for system components to capture changes to identification and authentication credentials (e.g., creation of new accounts, elevation of privileges, changes, additions, or deletions to accounts with administrative access, etc.).
Example: Screenshot or export of a sample log showing the relevant log contents. |
DCF-429 | Limited Access to Audit Trails | Upload evidence of the users with elevated access to log systems and log data.
Example: Screenshots of the users with administrative or privileged access to log systems and log data. |
DCF-430 | Audit Trail Files Protected | Upload evidence showing audit log files are protected from unauthorized modification.
Example: screenshots or exports showing access control settings for log repositories, immutable or write-restricted storage settings, physical or logical segregation of logging infrastructure, and configurations demonstrating only authorized personnel can administer or alter audit log files.
|
DCF-434 | Policies and Procedures for Logging | Upload your documented logging and monitoring policy and procedures.
Example: a policy, standard, or procedure defining logging requirements, monitoring activities, roles and responsibilities, systems or events that must be logged or monitored, alert review expectations, and related operational procedures. |
DCF-448 | Wireless Access Point Detection and Identification | Upload evidence of the most recent wireless access point detection review performed in accordance with company policy and compliance requirements.
Example: wireless scan results, rogue access point detection reports, wireless controller outputs, or other documented review results showing identified authorized and unauthorized wireless access points, along with generated alerts if automated monitoring is used and evidence the results were documented and reviewed.
|
DCF-456 | Vulnerabilities Identified and Resolved | Upload evidence showing vulnerabilities identified through vulnerability scanning are tracked and remediated in accordance with company policies and procedures.
Example: vulnerability scan report showing identified critical, high, and other applicable vulnerabilities; remediation tickets or change records; documented risk-based prioritization where applicable; and subsequent rescan results confirming critical or high vulnerabilities were resolved and other remediated findings were validated as needed. |
DCF-478 | Change Detection Mechanism | Upload evidence showing file integrity monitoring or another change-detection mechanism is enabled to detect unauthorized modification of critical system files, configuration files, audit files, or content files.
Example: screenshots or exports from the change-detection solution showing monitored file paths or objects, monitoring rules or scope, alerting configurations, and evidence that unauthorized changes, additions, or deletions would generate alerts.
|
DCF-503 | Multiple Methods for Security Awareness | Upload evidence showing the security awareness program uses multiple methods to communicate awareness and educate personnel, and that periodic security updates are provided through those methods.
Example: security awareness program schedule or curriculum, LMS training records, screenshots of newsletters or intranet posts, phishing simulation campaign records, team meeting materials or agendas, and distribution logs or attendance records showing periodic security updates were communicated through multiple channels. |
DCF-507 | Vendor Due Diligence | Upload evidence of due diligence performed before engaging a new vendor or service provider.
Example: completed security questionnaire, reviewed compliance reports or certifications, reviewed vendor-provided policies or procedures, documented analysis of delegated or shared responsibilities, identified risks or action items, and the completed review record showing the date and outcome of the due diligence.
|
DCF-516 | Incident Response Training | Upload evidence of incident response training completed by personnel based on their assigned incident response roles and responsibilities.
Example: incident response training materials or LMS records showing general incident identification and reporting training for all personnel, role-specific incident handling training for incident response team members, and completion records showing training was completed within required timelines upon receiving system access, assuming an incident response role, when required by system changes, and at periodic intervals. |
DCF-558 | Restrictions on Software Installation and Execution | Upload evidence showing the organization has identified allowed software and implemented mechanisms to restrict and monitor the installation and execution of unauthorized software.
Example: approved software inventory or allowlist, screenshots or exports from MDM, endpoint management, application control, or EDR tools showing software installation restrictions or allow-by-exception rules, records showing unauthorized software execution is blocked or monitored, and evidence the list of allowed software is reviewed and updated periodically. |
DCF-566 | Management of Nonconformities | Upload documentation for an identified nonconformity showing root-cause analysis, corrective actions, and the results of those corrective actions.
Example: incident record, audit finding, corrective action plan, root-cause analysis, remediation tickets or change records, evidence of corrective action completion, and documented verification that the nonconformity was addressed. |
DCF-567 | Change Management Policy | Upload your documented change management policy.
Example: a policy that defines requirements for requesting, reviewing, approving, testing, implementing, documenting, and tracking changes across the organization, including changes to infrastructure, systems, and applications. |
DCF-569 | Information Labeling | Upload evidence showing the organization has developed and implemented procedures for labeling assets and information in accordance with its information classification scheme.
Example: data classification policy, information labeling standard, asset labeling procedure, screenshots of labels applied within systems or repositories, sample labeled documents, or training/process materials showing how personnel apply required labels to information and assets. |
DCF-570 | Disciplinary Process | Upload your documented disciplinary process and evidence that management retains documentation when the process is enacted.
Example: employee handbook, code of conduct, HR policy, or information security policy describing the disciplinary sanctions process for policy violations or security/privacy incidents, along with a redacted example of disciplinary documentation, case record, or HR tracking record showing the process was applied. |
DCF-571 | Fire Detection and Suppression | Upload evidence showing fire detection and suppression systems are installed in critical locations to protect people and assets in the event of a disaster, and that maintenance is conducted periodically in accordance with manufacturer guidance.
Example: observation of smoke detectors, alarms, sprinkler systems, or clean agent suppression systems in critical locations such as data centers or server rooms, along with maintenance logs, inspection reports, testing records, or service reports from the responsible vendor or facilities team.
|
DCF-572 | Temperature Monitoring Systems | Upload evidence showing systems are in place to monitor and control air temperature and humidity at appropriate levels in critical areas such as server rooms or data centers, and that those environmental control systems are maintained periodically in accordance with manufacturer guidance.
Example: observation or screenshots of HVAC, environmental sensors, or building monitoring systems showing temperature and humidity monitoring and control, along with maintenance logs, calibration records, inspection records, or service reports for the related environmental control systems.
|
DCF-573 | Uninterruptible Power Supply | Upload evidence showing uninterruptible power supply (UPS) systems are in place to provide backup power in data centers or server rooms, and that maintenance is conducted periodically in accordance with manufacturer guidance.
Example: observation or photos of UPS units installed in critical locations, UPS monitoring console screenshots, equipment inventory or facility diagrams showing UPS coverage, and maintenance logs, inspection reports, battery testing records, or vendor service records for the UPS systems.
|
DCF-606 | Device Identification and Authentication | Upload evidence showing devices accessing the system are uniquely identified and that device identity is authenticated or verified before system access is granted.
Example: asset inventory or device registry showing device identifiers such as hostname, MAC address, IP address, serial number, certificate, or device ID; configuration screenshots from device management, NAC, MDM, IAM, or directory services showing device trust, certificate-based authentication, or device compliance checks; and sample authentication or access logs showing recognized devices are allowed and unrecognized or noncompliant devices are denied or challenged.
|
DCF-607 | System Identifier Management | Upload evidence showing the organization has documented policies and procedures for assigning unique identifiers to individuals, groups, roles, services, or devices, and restricting reuse of those identifiers.
Example: access management or identity lifecycle policy, username or account naming standard, service account provisioning procedure, IAM or directory service configuration showing unique account creation, and evidence that terminated or retired identifiers are disabled and not reassigned in violation of company policy.
|
DCF-616 | Remote Maintenance | Upload evidence of a recent nonlocal maintenance or diagnostic activity showing the session was approved, monitored, and properly terminated when the work was completed.
Example: remote maintenance policy or procedure, approved maintenance ticket or change record, session logs showing connection start and end times, monitoring or supervision records for the remote session, and evidence that external session and network connections were terminated promptly after completion. |
DCF-617 | Maintenance Personnel Authorization | Upload evidence showing the organization has a documented process to authorize maintenance personnel or organizations and maintains a current list of authorized parties.
Example: maintenance authorization policy or procedure, current list of authorized maintenance personnel or service providers, and records showing organizational personnel with the required access authorizations and technical competence are assigned to supervise maintenance activities performed by personnel without the required access authorizations. |
DCF-637 | Secure Development Process | Upload your documented secure software development procedures.
Example: SDLC procedure, secure development standard, engineering handbook, or internal development wiki showing how security is addressed during requirements, design, development, testing, release, and maintenance; references to industry standards or secure coding best practices; and defined security requirements such as authentication, authorization, logging, input validation, and vulnerability management.
|
DCF-677 | Software Update and Patch Management | Upload evidence showing the organization has implemented a software update and patch management process for operating systems and authorized software.
Example: screenshots or exports from patch management tools, endpoint management platforms, server management consoles, or infrastructure-as-code configurations showing automated or centrally managed deployment of critical patches and application updates; documented patching policy or procedure defining priority SLAs; recent patch status or compliance reports; and evidence that missing or failed updates are tracked and remediated.
|
DCF-678 | Network Security Policy | Upload your documented network security policy.
Example: a policy that defines requirements for deploying, managing, and operating network security controls such as firewalls, security groups, routers, access control lists, segmentation controls, remote access protections, change management expectations for network controls, and monitoring or review responsibilities. |
DCF-681 | Phishing Simulations | Upload evidence showing periodic phishing simulations or social engineering tests are conducted as part of the company’s security awareness initiatives.
Example: phishing simulation campaign configurations, example simulated phishing emails or landing pages, campaign schedules, completion or participation records, and dashboards or reports showing campaign results such as open rates, click rates, credential submission rates, and follow-up awareness or remedial training actions.
|
DCF-684 | Redundancy of Processing | Upload evidence showing redundancy strategies have been implemented for equipment, systems, and processes as necessary to meet availability requirements defined in the business continuity plan.
Example: architecture or infrastructure diagrams showing redundant network paths, load balancers, clustered or replicated production resources, RAID or redundant storage, multiple availability zones or processing sites, redundant ISP links, UPS or backup power coverage, and recent failover, testing, maintenance, or review records demonstrating those redundancy measures are in place and operational.
|
DCF-687 | Email Protection Mechanisms | Upload evidence showing the organization has implemented email protection mechanisms to maintain the integrity of email communications and detect or protect against phishing attacks, spam, and malicious emails.
Example: screenshots or exports showing SPF, DKIM, and DMARC configurations; secure email gateway or email security platform settings; anti-phishing, anti-spam, and malicious attachment/link detection rules; and sample alert, quarantine, or reporting outputs showing the protections are active.
|
DCF-688 | Return of Assets | Upload evidence for a recently terminated employee or contractor showing the return of company assets was tracked and documented as part of the offboarding process.
Example: offboarding checklist, HR or IT ticket, asset return log, shipping record or prepaid return label for remote personnel, and records showing return or collection of laptops, mobile devices, badges, keys, MFA tokens, and other issued assets, along with evidence that access mechanisms not physically returned were disabled by IT or HR.
|
DCF-689 | On-call Team | Upload evidence showing specific personnel are designated to be available on a 24/7 basis to respond to suspected or confirmed security incidents and operational issues.
Example: on-call rotation schedules, PagerDuty or equivalent alerting platform screenshots, escalation policies, incident response contact rosters, and records showing assigned primary and secondary on-call coverage for relevant teams.
|
DCF-698 | Automated Mechanisms for Audit Log Reviews | Upload evidence showing automated mechanisms are implemented for audit record reduction and correlated audit log review and analysis.
Example: screenshots or exports from a SIEM, centralized log management platform, or event log analyzer showing correlation rules, log aggregation or normalization settings, alerting logic, dashboards or reports for correlated event analysis, and documentation identifying the audit sources feeding the platform.
|
DCF-707 | Credentials for System Accounts Not Hard-Coded | Upload evidence showing the organization has implemented mechanisms to validate that authentication credentials for application and system accounts are not hard coded in scripts, configuration/property files, or bespoke and custom source code.
Example: screenshots or exports from secret scanning tools, SAST rules, CI/CD pipeline checks, pre-commit hooks, repository scanning results, or code review requirements showing detection of hard-coded secrets, along with a sample finding or remediation record demonstrating hard-coded credentials are identified and removed before release.
|
DCF-708 | Software and Third Party Libraries Inventory | Upload evidence showing the organization maintains an up-to-date inventory of bespoke/custom software and third-party software components.
Example: software bill of materials (SBOM), software composition analysis (SCA) tool outputs, application inventory records, or repository/dependency management exports showing software components, libraries, versions, and update status, along with evidence the inventory is reviewed and updated as changes occur.
|
DCF-712 | Static Application Security Testing | Upload evidence showing static application security testing (SAST) or an equivalent tool is used as part of the CI/CD pipeline to detect vulnerabilities in the codebase.
Example: screenshots or exports from CI/CD pipelines, repository protections, or SAST tools showing scans execute during development or build workflows, along with sample scan results, remediation tickets or pull requests, and evidence that identified vulnerabilities are corrected prior to release as appropriate based on the nature of the vulnerability.
|
DCF-741 | Logging and Monitoring Policy | Upload your documented logging and monitoring policy.
Example: a policy that defines requirements for audit logging, monitoring of system activity, roles and responsibilities, systems or events that must be logged or monitored, alerting expectations, log review expectations, and related operational requirements. |
DCF-744 | Contact with Authorities | Upload evidence of incident response procedures, playbooks, or documented communication plans showing the organization has identified relevant authorities to contact and defined the events or circumstances that require communication, the methods of communication, and the personnel responsible for that communication.
Example: incident response plan, breach notification procedure, regulatory communication matrix, supervisory authority or law enforcement contact list, or escalation procedure showing when authorities must be contacted, who is responsible, and how communication is performed. |
DCF-745 | Segregation of Duties | Upload evidence showing the organization has identified conflicting duties and areas of responsibility and implemented segregation of duties controls.
Example: segregation of duties matrix, RACI, role definition document, access control design, approval workflow documentation, or review records showing incompatible duties are assigned to different individuals. Where full segregation is not possible, include documented compensating or mitigating controls such as secondary approval, management review, monitoring, or periodic independent review. |
DCF-748 | Segmentation of Networks | Upload evidence showing network segmentation or other techniques are used to isolate portions of the environment into defined security boundaries and to control traffic between them based on business and security needs.
Example: network or security zone diagrams, firewall rules, VLAN or subnet configurations, security group rules, ACLs, router configurations, or segmentation standards showing separate zones such as office, production, guest, admin, or other sensitive environments, along with evidence that only approved traffic is permitted between zones. |
DCF-749 | Leak Detection System | Upload evidence showing critical facilities are equipped with leak detection systems to detect water in the event of a flood or leakage.
Example: observation, photos, facility diagrams, or screenshots showing leak detection sensors, alarms, or building monitoring systems installed in critical locations such as data centers, server rooms, or other sensitive facility areas. Note: This observation can be performed by the auditor on-site or via live virtual meeting.
|
DCF-761 | Incident Management Procedures for Collection of Evidence | Upload evidence of documented incident management procedures for the identification, collection, acquisition, and preservation of incident-related evidence and metadata.
Example: incident response policy or forensic evidence handling procedure, incident records or post-incident reports showing the evidence handling process was followed during an actual or test incident, and training records or periodic review records showing relevant personnel are aware of and follow the evidence preservation requirements. |
DCF-762 | Managing Changes to Supplier Services | Upload evidence for a recent change to a supplier or vendor service showing the change was reviewed, due diligence was performed, and the change was authorized by management before implementation or continued use.
Example: updated vendor risk review, change request, security review record, revised contract or order form, assessment of the impact of a service expansion or supplier change, identified risks or action items, and retained evidence of management approval for the change. |
DCF-776 | Principle of Least Privilege | Upload evidence showing permissions are assigned through groups or roles based on the principle of least privilege and that wild-card permissions or other broad-access patterns are limited.
Example: role-based access matrix, IAM group or role definitions, permission set configurations, sample user-to-role assignments for in-scope systems, and screenshots or exports showing overly broad permissions such as wildcard access are restricted, prohibited, or tightly controlled by documented exception. |
DCF-780 | Web Filtering | Upload evidence showing the organization has implemented web filtering mechanisms to enforce the company’s internet usage policies.
Example: screenshots or exports from a secure web gateway, DNS filter, proxy, browser security control, or endpoint web filtering tool showing blocked categories or destinations, policies restricting access to prohibited or high-risk web resources, threat-intelligence or reputation-based filtering settings, and sample logs or reports showing access to known malicious or disallowed sites is blocked and recorded.
|
DCF-784 | Software Composition Analysis (SCA) | Upload evidence showing the organization checks software components and libraries for policy and license compliance, security risks, and supported versions using software composition analysis (SCA) or equivalent mechanisms.
Example: screenshots or exports from SCA tools, CI/CD pipeline checks, dependency management tools, or SBOM platforms showing identified third-party components, license and policy compliance checks, vulnerability findings, supported version status, and remediation records demonstrating identified issues are addressed in accordance with the company’s vulnerability management policies. |
DCF-785 | Supported System Components | Upload evidence showing the organization maintains secure and supported configuration standards and supported versions for system components.
Example: baseline configuration standards, supported software or hardware standards, approved version inventories, end-of-life tracking records, vulnerability or asset management reports identifying unsupported components, replacement plans for components no longer supported by the vendor or manufacturer, and documented compensating or risk mitigation strategies for any unsupported components that cannot yet be replaced.
|
DCF-786 | Defined Company Objectives | Upload evidence showing management has defined company objectives and communicated them to personnel.
Example: company mission and vision statements, strategic plan, annual operating plan, OKRs, departmental goals, board or leadership materials, or company-wide communications showing operational objectives, financial performance goals, security or compliance objectives, and other business objectives that serve as a basis for risk assessment activities, along with evidence those objectives and any updates are communicated internally.
|
DCF-789 | Expectations of Interested Parties | Upload documentation showing the organization has identified interested parties relevant to information security and documented their requirements and expectations, along with how those requirements and expectations will be addressed.
Example: interested parties register, stakeholder analysis, ISMS scope or management system scope documentation, contractual requirements register, legal or regulatory requirements register, customer security requirements tracker, or governance records showing internal and external stakeholders, their expectations, and the related controls, obligations, or actions used to address them. |
DCF-795 | Transferred Personnel Access Validation | Upload evidence for a recently transferred or reassigned employee showing logical and physical access were reviewed and updated to align with the individual’s new job responsibilities.
Example: role change ticket, HR transfer record, access review record, IAM workflow, physical access change request, updated group or role assignments, removed permissions no longer needed, and retained documentation showing the review and resulting access modifications were completed and approved. |
DCF-814 | Security Impact Assessment for Changes | Upload evidence showing system changes are evaluated for security impact prior to implementation and that security requirements are validated after implementation.
Example: change management policy or procedure describing security impact assessment requirements, a completed change impact assessment or change ticket showing identified security implications and required controls, and post-implementation validation records showing security requirements were tested or confirmed after the change was deployed.
|
DCF-817 | Cloud Security Configuration Monitoring | Upload evidence showing the organization uses automated tools to continuously monitor cloud security configurations and risks.
Example: cloud security posture management (CSPM) or cloud configuration monitoring tool settings showing enabled policies or rules, monitored cloud accounts or subscriptions, recent scan or monitoring reports identifying misconfigurations, vulnerabilities, or security risks, and remediation or incident tickets showing findings were reviewed, tracked, and resolved.
|
DCF-818 | Physical Access Devices Controlled | Upload evidence showing physical access devices are identified, controlled so they are only available to authorized personnel, and managed through their lifecycle.
Example: physical access control policy or procedure; inventory or register of keys, badges, fobs, access cards, lock combinations, and card readers; assignment records showing authorized personnel; issuance and return logs; deactivation or rekeying records; and periodic review records showing physical access devices are tracked, updated, and controlled. |
DCF-819 | Control of Removable Media | Upload evidence showing the organization restricts the use of removable media to authorized media types with documented business justification and prohibits all other types through policy and/or technical mechanisms.
Example: removable media policy or acceptable use policy defining allowed media types and approval requirements; documented exception or business justification records for approved use; endpoint, MDM, EDR, or device control settings showing unauthorized removable media is blocked or restricted; and personnel acknowledgments or training records showing workforce members were informed of the rules governing removable media use.
|
DCF-826 | Role-Based Security Training | Upload evidence showing the organization has defined security-related roles and responsibilities and assigned specialized information security training for those roles.
Example: role descriptions or responsibility matrix identifying security-related duties; role-based training curriculum or training content covering the specific security topics, skills, processes, or methodologies required for each role; and completion records showing personnel completed the required training before being granted access to systems or sensitive data or performing assigned duties, with periodic refresher training completed thereafter. |
DCF-827 | Role-Based Security Training Program Updates | Upload evidence showing the organization reviews and updates its role-based security training program and training content at defined periodic intervals and after significant events.
Example: documented policy or procedure requiring scheduled training program reviews; completed review records or meeting notes for recent training program evaluations; updated training materials, curriculum, or role-based training matrices showing revisions; and records showing updates were made in response to incidents, assessment findings, regulatory changes, or the introduction of new tools, technologies, or processes. |
DCF-828 | Incident Handling Capability | Upload evidence showing the organization has implemented an incident-handling capability consistent with its incident response plan across the full incident lifecycle.
Example: formally approved incident response plan; incident detection and triage procedures or tooling; recent incident records showing analysis, containment, eradication, recovery, and user response activities; incident response team roles or on-call assignments; and training or exercise records demonstrating personnel are prepared to execute the plan. |
DCF-829 | Network Traffic Monitoring | Upload evidence showing the organization monitors and logs inbound and outbound network communications traffic to detect unusual or unauthorized activities or events.
Example: network monitoring or network detection and response tool configurations, firewall or IDS/IPS monitoring settings, NetFlow or traffic analysis dashboards, sample network traffic logs, and alert records or investigation tickets showing unusual or unauthorized traffic was detected, reviewed, and acted upon.
|
DCF-868 | Cybersecurity Supply Chain Risk Management Program | Upload evidence of your documented cybersecurity supply chain risk management (C-SCRM) program.
Example: C-SCRM program plan or strategy document defining program objectives, scope, roles and responsibilities, implementation milestones, and governance; supporting policies and procedures for supplier risk management, due diligence, ongoing monitoring, incident response, and contract management; stakeholder or management approval records; and evidence of periodic review, updates, and program improvement activities.
|
DCF-870 | Integrated Cybersecurity Supply Chain Risk Management | Upload evidence showing cybersecurity supply chain risk management activities and outcomes are integrated into enterprise risk management processes and managed alongside other enterprise risks.
Example: enterprise risk register entries for supplier or supply chain risks; C-SCRM risk assessments linked to enterprise risk treatment plans; governance or risk committee materials showing supply chain risks are reviewed with other enterprise risks; contractual requirements or supplier security clauses supporting risk treatment; ongoing supplier monitoring records; and incident response or issue management records showing supply chain-related incidents feed into the broader enterprise risk management process.
|