API Security
Secure APIs through authentication, rate limiting, input validation, and monitoring.
9 of 9 frameworks cover this control
Framework Mappings
How API Security maps to each of the 6 cybersecurity frameworks tracked by ControlMap.
| Framework | Status | Control IDs |
|---|---|---|
| NIST CSF 2.0 | Covered | PR.IR-01 PR.AA-03 |
| ISO 27001 | Covered | A.8.23 A.8.26 A.8.28 |
| CIS v8 | Covered | CIS 16.4 |
| SOC 2 | Covered | CC6.1 CC6.6 CC8.1 |
| PCI DSS | Covered | 6.2.1 6.2.3 6.5.4 |
| CMMC | Covered | SC.L2-3.13.1 SA.L2-3.16.1 |
| 800-53 | Covered | SC-7 SA-11 |
| HIPAA | Covered | §164.312(a)(1) §164.312(e)(1) |
| GDPR | Covered | Art.25(1) Art.32(1)(b) |
About API Security
API Security is a cybersecurity control in the Protect domain. Secure APIs through authentication, rate limiting, input validation, and monitoring. API security protects application programming interfaces from abuse, unauthorized access, and data exposure as organizations increasingly rely on APIs for system integration, mobile applications, and partner connectivity. Key controls include implementing OAuth 2.0 or API key authentication, enforcing rate limiting and throttling to prevent abuse, validating all input to prevent injection attacks, and logging API calls for monitoring and forensic purposes. Organizations should maintain a complete inventory of all APIs, conduct regular API security testing aligned with the OWASP API Security Top 10, and implement API gateways that centralize authentication, authorization, and traffic management.
This control is recognized by 9 of the 6 major frameworks: NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR. It has full coverage across all ${FW_KEYS.length} frameworks.