WAF
Deploy web application firewalls to protect services.
9 of 9 frameworks cover this control
Framework Mappings
How WAF maps to each of the 6 cybersecurity frameworks tracked by ControlMap.
| Framework | Status | Control IDs |
|---|---|---|
| NIST CSF 2.0 | Covered | PR.IR-01 |
| ISO 27001 | Covered | A.8.23 |
| CIS v8 | Covered | CIS 13.10 |
| SOC 2 | Covered | CC6.6 |
| PCI DSS | Covered | 6.4.1 6.4.2 |
| CMMC | Covered | SC.L2-3.13.1 |
| 800-53 | Covered | SC-7 SI-3 |
| HIPAA | Covered | §164.312(e)(1) |
| GDPR | Covered | Art.32(1)(b) |
About WAF
WAF is a cybersecurity control in the Protect domain. Deploy web application firewalls to protect services. Web application firewalls (WAFs) inspect HTTP/HTTPS traffic to and from web applications, blocking common attack patterns such as SQL injection, cross-site scripting, and remote file inclusion before they reach the application layer. WAFs can be deployed as cloud-based services, hardware appliances, or software modules, with rule sets that should be tuned to the specific application to minimize false positives while maintaining protection. PCI DSS v4.0 specifically requires WAFs or equivalent solutions for public-facing web applications, and organizations should regularly review WAF logs and update rule sets to address newly discovered attack techniques.
This control is recognized by 9 of the 6 major frameworks: NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR. It has full coverage across all ${FW_KEYS.length} frameworks.