KSI-CNA-RVP—Reviewing Protections
Formerly KSI-CNA-05
>Control Description
>NIST 800-53 Controls
>Trust Center Components3
Ways to express your implementation of this indicator — approaches vary by organization size, complexity, and data sensitivity.
From the field: Mature implementations express patch management through compliance dashboards — SLA adherence by severity level, overdue patch counts, and deployment success rates as live metrics. Automated patching pipelines handle routine updates, with policy engines enforcing patch windows and pre-deployment testing requirements.
Patch Compliance Dashboard
Dashboard expressing patch posture — compliance percentages by severity, overdue patches, and remediation velocity as live indicators
Patch Testing Procedures
How patches are tested and validated before production deployment — including automated testing in staging environments
Patch Management Policy
Human-readable patch management policy with SLAs for critical, high, and routine patches — documents intent behind automated patching
>Programmatic Queries
CLI Commands
aws wafv2 list-web-acls --scope REGIONAL --query "WebACLs[].{Name:Name,Id:Id}" --output tableaws wafv2 get-web-acl --name <name> --scope REGIONAL --id <id> --query "WebACL.Rules[].{Name:Name,Priority:Priority,Action:Action}" --output table>20x Assessment Focus Areas
Aligned with FedRAMP 20x Phase Two assessment methodology
Completeness & Coverage:
- •Does your DoS and unwanted activity protection cover all entry points — public APIs, web applications, DNS, email, and internal service-to-service traffic?
- •Are protections in place for all layers — volumetric (L3/L4), protocol (L4), and application-layer (L7) attacks?
- •How do you ensure third-party or inherited services (CDN, DNS provider, IaaS) also have adequate DoS protections, and are their SLAs documented?
- •Are there any services or endpoints where DoS protection is limited or absent, and how are those risks documented?
Automation & Validation:
- •What automated mechanisms detect and mitigate DoS attacks in real time, and what is the maximum time from attack start to mitigation activation?
- •How do you test DoS protection effectiveness — do you run controlled load tests or DDoS simulations against production or staging?
- •What happens if your DDoS mitigation provider itself experiences an outage — what failover protection applies?
- •How do you automatically distinguish between legitimate traffic spikes (product launch, press coverage) and attack traffic to avoid blocking real users?
Inventory & Integration:
- •What DDoS mitigation services and tools are in your stack (cloud provider native, third-party CDN, WAF), and how do they coordinate during an attack?
- •How do DoS detection alerts integrate with your SIEM and incident response workflow?
- •Are rate-limiting and traffic-shaping configurations defined as code and applied consistently across all services?
- •How do you coordinate DDoS response with your cloud provider's support and mitigation teams?
Continuous Evidence & Schedules:
- •How frequently do you review and test DoS protection effectiveness, and what evidence proves each review was completed?
- •Is DoS mitigation telemetry (blocked traffic volume, attack types, mitigation response times) available via API or dashboard?
- •What evidence shows protections have been improved based on past attacks or effectiveness reviews?
- •How do you demonstrate that DoS protections remain effective as your traffic patterns and architecture evolve?
Update History
Ask AI
Configure your API key to use AI features.