WorkSwarm
Trust Center - Confidential
Version 1.0
Updated 2026-05-08
Compliancev1.0 · Updated 2026-05-08 · 12 pages
NIST Cybersecurity Framework Control Map
Detailed mapping of WorkSwarm's security controls to the NIST Cybersecurity Framework (CSF) 2.0 functions, categories, and subcategories.
Prepared by Chief Information Security Officer, WorkSwarm, Inc.
Contents
About This Document
This document maps WorkSwarm's security controls to the NIST Cybersecurity Framework (CSF) 2.0 - the most widely adopted cybersecurity framework globally. It is intended for security teams performing vendor assessments, compliance officers mapping controls to organizational requirements, and auditors verifying control coverage.
Each NIST CSF function (Identify, Protect, Detect, Respond, Recover) is addressed with specific WorkSwarm controls, implementation details, and evidence references.
1. IDENTIFY (ID)
The Identify function covers asset management, business environment understanding, governance, risk assessment, and risk management strategy.
| Category | Subcategory | WorkSwarm Control | Evidence |
|---|---|---|---|
| ID.AM - Asset Management | ID.AM-1: Physical devices and systems inventoried | All infrastructure managed as Infrastructure-as-Code (Terraform). Asset inventory auto-generated from cloud provider APIs. Updated in real time. | Terraform state files, AWS Config inventory |
| ID.AM - Asset Management | ID.AM-2: Software platforms and applications inventoried | SBOM generated for every release. All dependencies tracked in dependency management system with automated vulnerability scanning. | SBOM exports, Dependabot reports |
| ID.AM - Asset Management | ID.AM-5: Resources prioritized based on classification | Four-tier data classification: Public, Internal, Confidential, Restricted. Classification enforced at storage and access layers. | Data classification policy, tagging enforcement |
| ID.GV - Governance | ID.GV-1: Security policy established and communicated | Information Security Policy reviewed annually by CISO. Communicated to all employees during onboarding and annual security awareness training. | Policy document, training completion records |
| ID.GV - Governance | ID.GV-4: Governance and risk management processes address cybersecurity risks | Quarterly risk assessment using NIST SP 800-30. Risk register maintained by CISO. Board-level reporting on cybersecurity posture. | Risk register, board reports |
| ID.RA - Risk Assessment | ID.RA-1: Asset vulnerabilities identified | Automated vulnerability scanning (infrastructure and application). Quarterly external scans. Annual penetration test. | Scan reports, pen test summary |
| ID.RA - Risk Assessment | ID.RA-3: Threats identified and documented | Threat modeling (STRIDE) for all features. Threat intelligence feeds integrated. Quarterly threat landscape review. | Threat models, intelligence reports |
| ID.SC - Supply Chain | ID.SC-1: Supply chain risk management processes | Formal vendor assessment before onboarding. Annual reassessment. SOC 2 or equivalent required for sub-processors. | Vendor assessment records, sub-processor register |
2. PROTECT (PR)
The Protect function covers access control, awareness and training, data security, information protection processes, maintenance, and protective technology.
| Category | Subcategory | WorkSwarm Control | Evidence |
|---|---|---|---|
| PR.AC - Access Control | PR.AC-1: Identities and credentials managed | SSO (SAML 2.0, OIDC), SCIM provisioning, MFA required. API keys with IP allowlisting and 90-day rotation. | IdP configuration, MFA enforcement logs |
| PR.AC - Access Control | PR.AC-3: Remote access managed | Zero-trust architecture. All access authenticated regardless of network. VPN not required - identity is the perimeter. | Network architecture docs, access logs |
| PR.AC - Access Control | PR.AC-4: Access permissions managed (least privilege) | RBAC + ABAC model. Five default roles (Owner, Admin, Member, Guest, AI Agent). Custom roles on Enterprise tier. Quarterly access review. | RBAC config, access review records |
| PR.AC - Access Control | PR.AC-5: Network integrity protected | VPC isolation, private subnets, security groups, NACLs. No public-facing databases. mTLS between services. | VPC configuration, network diagrams |
| PR.AT - Awareness/Training | PR.AT-1: Users informed and trained | Security awareness training at onboarding. Annual refresher. Phishing simulations quarterly. Role-specific training for engineers. | Training records, phishing results |
| PR.DS - Data Security | PR.DS-1: Data at rest protected | AES-256-GCM encryption. Per-tenant keys. BYOK (Enterprise) and HYOK (Enterprise Plus) supported. | Encryption configuration, KMS audit logs |
| PR.DS - Data Security | PR.DS-2: Data in transit protected | TLS 1.3 for all external connections. mTLS for internal service-to-service. Certificate pinning for mobile. | TLS configuration, certificate inventory |
| PR.DS - Data Security | PR.DS-5: Protections against data leaks | DLP controls on LLM outputs. PII detection and redaction before external API calls. Content filtering on all AI outputs. | DLP policy, PII detection logs |
| PR.IP - Information Protection | PR.IP-1: Security configuration baseline maintained | CIS benchmarks applied to all infrastructure. Automated compliance scanning. Drift detection with automatic remediation. | CIS scan reports, drift detection logs |
| PR.IP - Information Protection | PR.IP-12: Vulnerability management plan | Critical CVEs patched within 24 hours. High within 7 days. Medium within 30 days. Low within 90 days. Automated scanning and alerting. | Vulnerability scan reports, patch records |
| PR.MA - Maintenance | PR.MA-1: Maintenance and repair performed | Immutable infrastructure - no in-place patching. New container images built, scanned, and deployed. Blue-green deployments with instant rollback. | Deployment logs, container scan reports |
| PR.PT - Protective Technology | PR.PT-1: Audit/log records maintained | Immutable, hash-chained audit logs. 7-year retention. HSM-signed. SIEM streaming (Splunk, Sentinel, Elastic, Datadog). | Audit log samples, SIEM integration config |
3. DETECT (DE)
The Detect function covers anomaly and event detection, security continuous monitoring, and detection processes.
| Category | Subcategory | WorkSwarm Control | Evidence |
|---|---|---|---|
| DE.AE - Anomalies/Events | DE.AE-1: Baseline of network operations established | Baseline traffic patterns established per tenant. ML-based anomaly detection for unusual API patterns, data access, and agent behavior. | Monitoring dashboards, anomaly detection config |
| DE.AE - Anomalies/Events | DE.AE-3: Event data aggregated and correlated | Centralized SIEM with correlation rules. Events from infrastructure, application, identity, and AI layers correlated in real time. | SIEM rules, correlation reports |
| DE.CM - Continuous Monitoring | DE.CM-1: Network monitored for events | VPC Flow Logs, GuardDuty, WAF logs. Real-time alerting on suspicious patterns. 24/7 monitoring with automated escalation. | GuardDuty findings, alert runbooks |
| DE.CM - Continuous Monitoring | DE.CM-4: Malicious code detected | Container image scanning before deployment. Runtime protection. File integrity monitoring on critical systems. | Scan reports, FIM alerts |
| DE.CM - Continuous Monitoring | DE.CM-7: Monitoring for unauthorized access | Failed authentication monitoring with automatic lockout. Impossible travel detection. Privileged access alerting. | Auth logs, impossible travel alerts |
| DE.DP - Detection Processes | DE.DP-4: Event detection communicated | Automated alert routing to security team. Customer notification within 4 hours for Severity 0/1. Regulatory notification per jurisdiction. | Incident notification SOP |
4. RESPOND (RS)
The Respond function covers response planning, communications, analysis, mitigation, and improvements.
| Category | Subcategory | WorkSwarm Control | Evidence |
|---|---|---|---|
| RS.RP - Response Planning | RS.RP-1: Response plan executed | Documented Incident Response Plan. Severity classification (P0-P4). Tested quarterly via tabletop exercises. | IRP document, tabletop exercise records |
| RS.CO - Communications | RS.CO-2: Incidents reported per requirements | Customer notification: 4 hours (P0/P1). GDPR DPA: 72 hours. DPDP Act: 72 hours. CERT-In: 6 hours. IRDAI: 24 hours. | Notification SLAs, regulatory matrix |
| RS.AN - Analysis | RS.AN-1: Notifications investigated | Dedicated incident response team. Root cause analysis for all P0-P2 incidents. Forensic capabilities maintained. | Investigation records, RCA reports |
| RS.MI - Mitigation | RS.MI-1: Incidents contained | Automated containment for common attack patterns. Manual containment procedures for novel attacks. Tenant-level isolation capability. | Containment procedures, isolation records |
| RS.MI - Mitigation | RS.MI-2: Incidents mitigated | Post-mortem published within 14 days. Root cause addressed with verified fix. Regression tests added. | Post-mortem reports |
| RS.IM - Improvements | RS.IM-1: Response plans incorporate lessons | IRP updated after every P0-P2 incident. Annual comprehensive review. Third-party review of IRP every two years. | IRP revision history |
5. RECOVER (RC)
The Recover function covers recovery planning, improvements, and communications during recovery.
| Category | Subcategory | WorkSwarm Control | Evidence |
|---|---|---|---|
| RC.RP - Recovery Planning | RC.RP-1: Recovery plan executed | Business Continuity Plan and Disaster Recovery Plan maintained. RTO: 4 hours. RPO: 15 minutes. Multi-AZ and cross-region replication. | BCP/DRP documents, DR test results |
| RC.IM - Improvements | RC.IM-1: Recovery plans incorporate lessons | Post-DR-test review. Plan updated quarterly. Third-party review annually. | DR test reports, plan revision history |
| RC.CO - Communications | RC.CO-3: Recovery activities communicated | Status page updated during incidents. Customer notification at incident start, hourly updates during response, final update at resolution. | Status page history, notification records |
6. Summary Coverage
This control map covers all five NIST CSF 2.0 functions across 23 categories. WorkSwarm implements controls for every subcategory relevant to a SaaS AI platform.
For detailed evidence or walkthrough of any specific control, contact trust@workswarm.ai.
| Function | Categories Covered | Coverage |
|---|---|---|
| Identify (ID) | 4 of 4: AM, GV, RA, SC | Full |
| Protect (PR) | 6 of 6: AC, AT, DS, IP, MA, PT | Full |
| Detect (DE) | 3 of 3: AE, CM, DP | Full |
| Respond (RS) | 5 of 5: RP, CO, AN, MI, IM | Full |
| Recover (RC) | 3 of 3: RP, IM, CO | Full |
Disclaimer:This document is provided for informational purposes and represents WorkSwarm's current security posture and planned controls. Legal templates are provided as starting points and should be reviewed by your legal counsel before execution. Certification timelines are targets and subject to change based on auditor availability and assessment outcomes.
© 2026 WorkSwarm, Inc. · Confidential · workswarm.ai/trust
NIST Cybersecurity Framework Control Map
12 pages · PDF