| CHM04_1 | DCF-4 | Version Control System | Notes to Auto-test |
| CHM05 | DCF-5 | Code Review Process | |
| CHM03_1 | DCF-6 | Production Code Changes Restricted | |
| CHM03 | DCF-7 | Separate Testing and Production Environments | Drata looks for labels "test", "development" to validate the separation. If they are labelled something different, the test may fail and require manual evidence. |
| REC01_1 | DCF-27 | Multiple Availability Zones | |
| AUT05 | DCF-75 | Cloud Data Storage Restricted | |
| EXT06_3 | DCF-48 | Session Lock | |
| PMN19 | DCF-49 | Password Manager | |
| EXT05 | DCF-50 | Malware Detection Software Installed | |
| PMN11 | DCF-51 | Security Patches Automatically Applied | |
| PMN18 | DCF-52 | Hard-Disk Encryption | |
| EXT07 | DCF-54 | Customer Data is Encrypted at Rest | |
| EXT08 | DCF-55 | SSL/TLS Enforced | |
| AUT01 | DCF-67 | MFA on Accounts | |
| AUT04 | DCF-71 | Unique Accounts Used | |
| REC02 | DCF-77 | Daily Database Backups | |
| SMN02_1 | DCF-79 | Logs Centrally Stored | |
| SMN01 | DCF-80 | Log Management System | |
| EXT03 | DCF-85 | Firewalls | |
| EXT11 | DCF-87 | Logging/Monitoring | |
| EXT20 | DCF-88 | Web Application Firewall | |
| MGT10_1 | DCF-89 | Cloud Infrastructure Linked to Drata | |
| REC15 | DCF-96 | Load Balancer Used | |
| SMN04_1 | DCF-97 | Auto-Scale Configuration | |
| PMN06 | DCF-20 | Maintains Asset Inventory | |
| CHM06 | DCF-156 | Production Code Released by Appropriate Personnel | |
| MGT10_2 | DCF-160 | Continuous Control Monitoring |