Protect (PR)
Develop and implement appropriate safeguards to ensure delivery of critical services. Controls in this function limit or contain the impact of potential cybersecurity events.
42 controls with this tag.
| ID | Title | Status | Owner | CSF Function |
|---|---|---|---|---|
| SID-ACCESS-01 | Multi-Tenant Isolation | verified | platform | protect |
| SID-ACCESS-02 | Rate Limiting and Brute-Force Protection | verified | platform | protect |
| SID-ACCESS-03 | User Consent Before Credential Disclosure | verified | platform | protect |
| SID-ACCESS-04 | SPOCP Policy-Based Query Authorization | verified | platform | protect |
| SID-AUTH-01 | FIDO2/WebAuthn Passwordless Authentication | verified | platform | protect |
| SID-AUTH-02 | JWT Bearer Token Session Management | verified | platform | protect |
| SID-AUTH-03 | OIDC Gate for External Identity Providers | verified | platform | protect |
| SID-AUTH-04 | WebSocket JWT Handshake Authentication | verified | platform | protect |
| SID-CRYPTO-01 | PKCS#11 HSM Key Protection | verified | platform | protect |
| SID-CRYPTO-02 | PRF Extension Key Derivation | verified | platform | protect |
| SID-CRYPTO-03 | AES-256-GCM Encrypted Keystore | verified | platform | protect |
| SID-CRYPTO-04 | COSE Sign1 and mDOC Cryptography | verified | platform | protect |
| SID-CRYPTO-05 | Secure Random Number Generation | verified | platform | protect |
| SID-DATA-01 | SD-JWT Selective Disclosure | verified | platform | protect |
| SID-DATA-02 | mDOC Element-Level Selective Disclosure | verified | platform | protect |
| SID-DATA-03 | Credential Revocation via Token Status List | verified | platform | protect |
| SID-DATA-04 | VCTM Schema Validation | verified | platform | protect |
| SID-DATA-05 | Gate/Remove Dead VC/VP Storage Paths | verified | platform | protect |
| SID-DATA-06 | PII Field Encryption for User Records | to_do | platform | protect |
| SID-HARD-01 | Error Message Sanitization | verified | platform | protect |
| SID-HARD-02 | Input Validation and Injection Prevention | verified | platform | protect |
| SID-HARD-03 | Network Segmentation (Separate Server Ports) | verified | platform | protect |
| SID-HARD-04 | Secure Registration Enforcement | verified | platform | protect |
| SID-HARD-05 | Browser Security Controls | verified | platform | protect |
| SID-KEY-01 | WSCA WebSocket Key Signing Delegation | verified | platform | protect |
| SID-KEY-02 | IACA Certificate Management | verified | platform | protect |
| SID-KEY-03 | FIDO WSCD via Sign Extension (previewSign) | to_do | platform | protect |
| SID-OPS-08 | Secure Development Lifecycle | to_do | platform | protect |
| SID-PPL-01 | Personnel Screening and Onboarding | to_do | operator | protect |
| SID-PPL-02 | Security Awareness, Education, and Training | to_do | operator | protect |
| SID-PPL-03 | Confidentiality and Non-Disclosure Agreements | to_do | operator | protect |
| SID-PHY-01 | Data Center Physical Security | to_do | operator | protect |
| SID-PHY-02 | Equipment and Media Security | to_do | operator | protect |
| SID-PRIV-01 | Minimal Disclosure Enforcement | verified | platform | protect |
| SID-PRIV-02 | VP Nonce Binding (Anti-Replay) | verified | platform | protect |
| SID-PRIV-03 | Right-to-Erasure Bulk Deletion API | to_do | platform | protect |
| SID-TRANS-01 | TLS 1.2+ Minimum with Configurable Version | verified | platform | protect |
| SID-TRANS-02 | OpenID4VCI Credential Issuance Protocol | verified | platform | protect |
| SID-TRANS-03 | OpenID4VP Credential Presentation Protocol | verified | platform | protect |
| SID-TRANS-04 | SSRF-Protected HTTP Client | verified | platform | protect |
| SID-TRUST-03 | Issuer and Verifier Trust Gating | verified | platform | protect |
| SID-TRUST-04 | Trust Decision Caching with Circuit Breaker | verified | platform | protect |