Skip to main content

AST-04: Network Diagrams & Data Flow Diagrams (DFDs)

AST 10 — Critical Identify

Mechanisms exist to maintain network architecture diagrams that: (1) Contain sufficient detail to assess the security of the network's architecture; (2) Reflect the current architecture of the network environment; and (3) Document all sensitive/regulated data flows.

Control Question: Does the organization maintain network architecture diagrams that: (1) Contain sufficient detail to assess the security of the network's architecture; (2) Reflect the current architecture of the network environment; and (3) Document all sensitive/regulated data flows?

General (47)
Framework Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source) C1.1-POF1 CC2.1 CC2.1-POF2 CC2.1-POF5
CIS CSC 8.1 3.8 12.4
CIS CSC 8.1 IG2 3.8 12.4
CIS CSC 8.1 IG3 3.8 12.4
COSO 2017 Principle 13
CSA CCM 4 DSP-05 IVS-08
CSA IoT SCF 2 DAT-03
GovRAMP Low PL-02
GovRAMP Low+ PL-02
GovRAMP Moderate PL-02 SA-04(01)
GovRAMP High PL-02 SA-04(01) SA-04(02)
ISO 27002 2022 5.9 8.20
MPA Content Security Program 5.1 TS-2.2
NIST Privacy Framework 1.0 ID.IM-P1
NIST 800-37 R2 P-11
NIST 800-53 R4 PL-2 SA-5(1) SA-5(2) SA-5(3) SA-5(4)
NIST 800-53 R4 (low) PL-2
NIST 800-53 R4 (moderate) PL-2
NIST 800-53 R4 (high) PL-2
NIST 800-53 R5 (source) PL-2 SA-4(1) SA-4(2)
NIST 800-53B R5 (privacy) (source) PL-2
NIST 800-53B R5 (low) (source) PL-2
NIST 800-53B R5 (moderate) (source) PL-2 SA-4(1) SA-4(2)
NIST 800-53B R5 (high) (source) PL-2 SA-4(1) SA-4(2)
NIST 800-82 R3 LOW OT Overlay PL-2
NIST 800-82 R3 MODERATE OT Overlay PL-2 SA-4(1) SA-4(2)
NIST 800-82 R3 HIGH OT Overlay PL-2 SA-4(1) SA-4(2)
NIST 800-161 R1 PL-2
NIST 800-161 R1 C-SCRM Baseline PL-2
NIST 800-161 R1 Flow Down PL-2
NIST 800-161 R1 Level 3 PL-2
NIST 800-171 R3 (source) 03.01.03 03.04.11.a 03.04.11.b
NIST 800-172 3.1.3e
NIST 800-207 NIST Tenet 1
NIST CSF 2.0 (source) ID.AM-03
PCI DSS 4.0.1 (source) 1.2.3 1.2.4
PCI DSS 4.0.1 SAQ A-EP (source) 1.2.3 1.2.4
PCI DSS 4.0.1 SAQ B-IP (source) 1.2.3
PCI DSS 4.0.1 SAQ D Merchant (source) 1.2.3 1.2.4
PCI DSS 4.0.1 SAQ D Service Provider (source) 1.2.3 1.2.4
SPARTA CM0022
UL 2900-1 2017 4.1 5.1 6.1 6.2 6.3 6.4 6.5 6.6 6.7 6.8 6.9
SCF CORE Fundamentals AST-04
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) AST-04
SCF CORE ESP Level 1 Foundational AST-04
SCF CORE ESP Level 2 Critical Infrastructure AST-04
SCF CORE ESP Level 3 Advanced Threats AST-04
US (25)
Framework Mapping Values
US CERT RMM 1.2 AM:SG1.SP1 EF:SG2.SP1 TM:SG1.SP1 TM:SG2.SP1 TM:SG2.SP2
US CISA CPG 2022 2.P
US CJIS Security Policy 5.9.3 (source) 5.7.1.2
US CMMC 2.0 Level 3 (source) AC.L3-3.1.3E
US CMS MARS-E 2.0 PL-2
US DoD Zero Trust Execution Roadmap 4.1.1 5.1
US DHS ZTCF BAS-03
US FedRAMP R4 PL-2
US FedRAMP R4 (low) PL-2
US FedRAMP R4 (moderate) PL-2
US FedRAMP R4 (high) PL-2
US FedRAMP R4 (LI-SaaS) PL-2
US FedRAMP R5 (source) PL-2
US FedRAMP R5 (low) (source) PL-2
US FedRAMP R5 (moderate) (source) PL-2
US FedRAMP R5 (high) (source) PL-2
US FedRAMP R5 (LI-SaaS) (source) PL-2
US FFIEC D4.C.Co.B.4 D4.C.Co.Int.1
US HIPAA HICP Large Practice 4.L.B 8.L.D
US IRS 1075 PL-2 SA-4(1) SA-4(2)
US TSA / DHS 1580/82-2022-01 III.B.1.c
US - CA CCPA 2025 7123(c)(4)(A)
US - TX DIR Control Standards 2.0 PL-2
US - TX TX-RAMP Level 1 PL-2
US - TX TX-RAMP Level 2 PL-2
EMEA (8)
Framework Mapping Values
EMEA EU DORA 8.4
EMEA EU NIS2 Annex 6.7.2(a)
EMEA Austria Sec 14 Sec 15
EMEA Belgium 16
EMEA Germany C5 2020 COS-07
EMEA Saudi Arabia OTCC-1 2022 2-4-1-16
EMEA UK CAF 4.0 B3.a
EMEA UK DEFSTAN 05-138 1203 2301
APAC (3)
Framework Mapping Values
APAC Australia ISM June 2024 ISM-0516 ISM-0518 ISM-1645 ISM-1646
APAC India SEBI CSCRF ID.AM.S2
APAC New Zealand NZISM 3.6 18.1.9.C.02 18.1.11.C.01 18.1.12.C.01 18.1.12.C.02
Americas (2)
Framework Mapping Values
Americas Canada CSAG 3.1
Americas Canada ITSP-10-171 03.01.03 03.04.11.A 03.04.11.B

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to maintain network architecture diagrams that: (1) Contain sufficient detail to assess the security of the network's architecture; (2) Reflect the current architecture of the network environment; and (3) Document all sensitive/regulated data flows.

Level 1 — Performed Informally

Asset Management (AST) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Asset management is informally assigned as an additional duty to existing IT/cybersecurity personnel.
  • Asset inventories are performed in an ad hoc manner.
  • Software licensing is tracked as part of IT asset inventories.
  • Data process owners maintain limited network diagrams to document the flow of sensitive/regulated data that is specific to their initiative.
  • IT personnel work with data/process owners to help ensure secure practices are implemented throughout the System Development Lifecycle (SDLC) for all high-value projects.
  • on at least an annual basis, or after any major technology or process change, network diagrams are updated to reflect the current topology.
Level 2 — Planned & Tracked

Asset Management (AST) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Asset management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
  • IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for asset management.
  • Administrative processes and technologies focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.
  • Asset management is formally assigned as an additional duty to existing IT/cybersecurity personnel.
  • Technology assets are categorized according to data classification and business criticality.
  • Inventories cover technology assets in scope for statutory, regulatory and/ or contractual compliance, which includes both physical and virtual assets.
  • Software licensing is tracked as part of IT asset inventories.
  • Users are educated on their responsibilities to protect technology assets assigned to them or under their supervision.
  • IT/cybersecurity personnel maintain network diagrams to document the flow of sensitive/regulated data across the network.
  • Data/process owners generate Data Flow Diagrams (DFDs) and network diagrams to document the flow of data to create and maintain a map of systems where sensitive/regulated data is stored, transmitted or processed.
  • Data/process owners document where personal data is stored, transmitted and/ or processed.
Level 3 — Well Defined

Asset Management (AST) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • An IT Asset Management (ITAM) function, or similar function, governs asset management to help ensure compliance with requirements for asset management.
  • An ITAM function, or similar function, maintains an inventory of IT assets, covering both physical and virtual assets, as well as centrally managed asset ownership assignments.
  • Technology assets and data are categorized according to data classification and business criticality criteria.
  • A Cybersecurity Supply Chain Risk Management (C-SCRM) function oversees supply chain risks including the removal and prevention of certain technology services and/ or equipment designated as supply chain threats by a statutory or regulatory body.
  • Data/process owners document where sensitive/regulated data is stored, transmitted and processed, generating Data Flow Diagrams (DFDs) and network diagrams to document the flow of data.
  • Stakeholders create network diagrams that graphically represent compliance boundaries (e.g., in-scope vs out-of-scope).
  • Data/process owners document where personal data is stored, transmitted and/ or processed.
Level 4 — Quantitatively Controlled

Asset Management (AST) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement.

  • Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
  • Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
  • Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
  • Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
  • Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
  • Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to maintain network architecture diagrams that: (1) Contain sufficient detail to assess the security of the network's architecture; (2) Reflect the current architecture of the network environment; and (3) Document all sensitive/regulated data flows.

Assessment Objectives

  1. AST-04_A01 sensitive data flows are identified and documented.
  2. AST-04_A02 a Data Flow Diagram (DFD) exists for each type of sensitive / regulated data that is stored, processed and/or transmitted.
  3. AST-04_A03 a process exists to review DFDs for accuracy.
  4. AST-04_A04 a process exists to update DFDs upon technology or business practice changes that affect where sensitive / regulated data is stored, processed and/or transmitted.
  5. AST-04_A05 one or more high-level network diagrams exist as a schematic to identify the logical placement of systems, applications and services at a conceptual level.
  6. AST-04_A06 one or more low-level network diagrams exist as a schematic to identify the detailed logical and physical placement of systems, applications and services.
  7. AST-04_A07 a process exists to review network diagrams for accuracy.
  8. AST-04_A08 a process exists to update network diagrams upon technologies change.

Evidence Requirements

E-DCH-03 Network Diagram - Global System View (GSV)

Documented evidence of a high-level network diagram that provides a conceptual, logical depiction of the network(s) to describe the interconnections of the systems/applications/services, including internal and external interfaces.

Data Protection
E-DCH-04 Network Diagram - Low Level

Documented evidence of a low-level network diagram that provides a detailed, logical depiction of assets on the network(s).

Data Protection
E-DCH-05 Data Flow Diagram (DFD)

Documented evidence of a Data Flow Diagram (DFD) that accurately identifies where sensitive/regulated data is stored, transmitted and/or processed.

Data Protection

Technology Recommendations

Micro/Small

  • High-Level Diagram (HLD)
  • Low-Level Diagram (LLD)
  • Data Flow Diagram (DFD)

Small

  • High-Level Diagram (HLD)
  • Low-Level Diagram (LLD)
  • Data Flow Diagram (DFD)

Medium

  • High-Level Diagram (HLD)
  • Low-Level Diagram (LLD)
  • Data Flow Diagram (DFD)

Large

  • High-Level Diagram (HLD)
  • Low-Level Diagram (LLD)
  • Data Flow Diagram (DFD)

Enterprise

  • High-Level Diagram (HLD)
  • Low-Level Diagram (LLD)
  • Data Flow Diagram (DFD)

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free