Frameworks

Frameworks are collections of controls that are used to assess compliance with specific standards or regulations. The help docs have more information.

List Frameworks

Find Frameworks matching the provided filters.

🔒 Requires Frameworks: List Frameworks permission.

Securitybearer
Request
path Parameters
workspaceId
required
number

The Workspace ID associated to the Account

query Parameters
cursor
string

This parameter is used to paginate through results. No value is needed for the first request. If there are additional results, the response will contain a pagination.cursor value that can be used in the subsequent request to retrieve the next page of results

size
number [ 1 .. 500 ]
Default: 50

Number of results to return

sort
string (SortTypeLimitedEnum)

Which field to sort by

Enum: "createdAt" "updatedAt"
sortDir
string (SortDirectionEnum)

The direction to sort the data

Enum: "ASC" "DESC"
includeTotalCount
boolean
Default: false

Include total count of all matching records in response. Only honored on first page (when cursor is null).

Example: includeTotalCount=false
name
string

Filter Frameworks by name (partial match)

Example: name=SOC 2
excludeIds
Array of numbers

Array of Framework IDs to exclude from results

Example: excludeIds=1&excludeIds=2&excludeIds=3
isReady
boolean

Filter Frameworks by ready state

Example: isReady=true
isEnabled
boolean

Filter Frameworks by enabled state

Example: isEnabled=true
Responses
200

Successful

400

Malformed data and/or validation errors

401

Invalid Authorization

403

You are not allowed to perform this action

404

Not Found

412

You must accept the Drata terms and conditions to use the API

500

Internal server error

get/workspaces/{workspaceId}/frameworks
Request samples 
Response samples 
application/json
{
  • "data": [
    • {
      • "id": 123,
      • "name": "SOC 2",
      • "description": "Report on controls at a Service Organization",
      • "slug": "soc-2",
      • "tag": "SOC_2",
      • "pill": "SOC 2",
      • "numInScopeControls": 42,
      • "numInScopeRequirements": 42,
      • "numReadyInScopeRequirements": 35,
      • "isReady": true,
      • "isEnabled": true,
      • "color": "#174880",
      • "bgColor": "#E8F4FF",
      • "activeLogo": "https://cdn.acme.com/frameworks/soc2-active.svg",
      • "inactiveLogo": "https://cdn.acme.com/frameworks/soc2-inactive.svg",
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z"
      }
    ],
  • "pagination": {
    • "cursor": "string",
    • "totalCount": 0
    }
}
Create Custom Framework
Create a new custom compliance Framework.


🔒 Requires workspaces-post-framework permission.


💎 Requires your account have the Custom Frameworks feature. Contact your CSM for help upgrading.


Securitybearer 
Request 
path Parameters
workspaceId
required
number
The Workspace ID associated to the Account


 
Request Body schema: application/json
required
name
required
string  <= 191 characters 
Framework display name


 
shortName
required
string  <= 16 characters 
Short label used as a pill/badge in the UI


 
description
required
string  <= 30000 characters 
Framework description


 
Responses 
201
Created


400
Malformed data and/or validation errors


401
Invalid Authorization


402
The required account entitlement is not enabled.


403
You are not allowed to perform this action


412
You must accept the Drata terms and conditions to use the API


500
Internal server error


post/workspaces/{workspaceId}/frameworks
Request samples 
application/json
{
  • "name": "My Custom Framework 2024",
  • "shortName": "MCF-24",
  • "description": "A custom compliance framework for internal security controls."
}
Response samples 
application/json
{
  • "id": 123,
  • "name": "SOC 2",
  • "description": "Report on controls at a Service Organization",
  • "slug": "soc-2",
  • "tag": "SOC_2",
  • "pill": "SOC 2",
  • "numInScopeControls": 42,
  • "numInScopeRequirements": 42,
  • "numReadyInScopeRequirements": 35,
  • "isReady": true,
  • "isEnabled": true,
  • "color": "#174880",
  • "bgColor": "#E8F4FF",
  • "activeLogo": "https://cdn.acme.com/frameworks/soc2-active.svg",
  • "inactiveLogo": "https://cdn.acme.com/frameworks/soc2-inactive.svg",
  • "createdAt": "2025-07-01T16:45:55.246Z",
  • "updatedAt": "2025-07-01T16:45:55.246Z"
}
List Framework Requirements
Use GET /workspaces/{workspaceId}/frameworks/{frameworkId}/requirements instead.


Find Framework Requirements matching the provided filters. Use expand[]=controls to include a limited subcollection of controls for each requirement. Use expand[]=customFields to include custom field values for each requirement.


🔒 Requires Frameworks: List Framework Requirements permission.


Securitybearer 
Request 
path Parameters
workspaceId
required
number
The Workspace ID associated to the Account


 
query Parameters
cursor
string
This parameter is used to paginate through results. No value is needed for the first request. If there are additional results, the response will contain a pagination.cursor value that can be used in the subsequent request to retrieve the next page of results


 
size
number  [ 1 .. 500 ] 
 Default:  50
Number of results to return


 
sort
string (SortTypeLimitedEnum) 
Which field to sort by


 Enum: "createdAt" "updatedAt"  
sortDir
string (SortDirectionEnum) 
The direction to sort the data


 Enum: "ASC" "DESC"  
includeTotalCount
boolean
 Default:  false
Include total count of all matching records in response. Only honored on first page (when cursor is null).


 
 Example:  includeTotalCount=false
expand[]
Array of strings (FrameworkRequirementsExpandEnum) 
List of subcollections and sub-objects to expand


Items Enum: "controls" "customFields" "framework"  
isReady
boolean
Filter Requirements that are or are not ready


 
 Example:  isReady=false
isInScope
boolean
Filter Requirements that are or are not in scope (not archived)


 
 Example:  isInScope=true
frameworkTag
Array of strings (FrameworkTagEnum) 
Filter data by Requirements associated with these framework tags


Items Enum: "NONE" "SOC_2" "ISO27001" "CCPA" "GDPR" "HIPAA" "PCI" "SCF" "NIST80053" "NISTCSF" "CMMC" "NIST800171" "MSSSPA" "FFIEC" "ISO27701" "COBIT" "SOX_ITGC" "ISO270012022" "CCM" "CYBER_ESSENTIALS" "ISO270172015" "ISO270182019" "FEDRAMP" "NISTAI" "PCI4" "NISTCSF2" "NIS2" "DORA" "ISO420012023" "DRATA_ESSENTIALS" "NIST800171R3" "CIS8" "CYBER_ESSENTIALS_32" "FEDRAMP20X" "HITRUST" "MSSSPA11" "ESSENTIAL_EIGHT" "NYDFS" "TISAX" "ISO270182025" "CCPA2026" "ISO277012025" "CPS230" "CUSTOM" "ALL"  
excludeIds
Array of numbers
Exclude Requirements by array of IDs


 
 Example:  
frameworkSlug
string
Filter data by Requirements associated with these framework slugs. This parameter is intended to be used only for custom frameworks


 
 Example:  frameworkSlug=slug
Responses 
200
Successful


400
Malformed data and/or validation errors


401
Invalid Authorization


403
You are not allowed to perform this action


404
Not Found


412
You must accept the Drata terms and conditions to use the API


500
Internal server error


get/workspaces/{workspaceId}/framework-requirements
Request samples 
Response samples 
application/json
{
  • "data": [
    • {
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "description": "The entity demonstrates a commitment to integrity and ethical values.",
      • "frameworkName": "SOC 2",
      • "frameworkPill": "SOC 2",
      • "frameworkSlug": "SOC 2",
      • "frameworkTag": "SOC_2",
      • "id": 58,
      • "name": "PI1.2",
      • "updatedAt": "2025-07-01T16:45:55.246Z",
      • "additionalInfo": "The entity demonstrates a commitment to integrity.",
      • "additionalInfo2": "The entity demonstrates a commitment to ethical values.",
      • "additionalInfo3": "The entity demonstrates a commitment to enforcing policies.",
      • "archivedAt": "2025-07-01T16:45:55.246Z",
      • "externalId": "SOC 2",
      • "longDescription": "The entity demonstrates a commitment to integrity and ethical values.",
      • "rationale": "This requirement is not needed.",
      • "category": "General Rules",
      • "controls": {
        • "data": [
          • {
            • "id": 1,
            • "code": "DCF-1001",
            • "isReady": true,
            • "controlNumber": 1,
            • "archivedAt": "2025-07-01T16:45:55.246Z"
            }
          ],
        • "totalCount": 47
        },
      • "customFields": [
        • {
          • "customFieldId": 1,
          • "name": "Stakeholders",
          • "value": "Security & IT"
          }
        ]
      }
    ],
  • "pagination": {
    • "cursor": "string",
    • "totalCount": 0
    }
}
Update Framework Requirement
Use PUT /workspaces/{workspaceId}/frameworks/{frameworkId}/requirements/{requirementId} instead. The replacement endpoint supports both Custom Field and structural-field updates.


🔒 Requires Frameworks: Update Framework Requirement permission.


💎 Requires your account have the Custom Fields and Formulas feature. Contact your CSM for help upgrading.


Securitybearer 
Request 
path Parameters
workspaceId
required
number
The Workspace ID associated to the Account


 
frameworkRequirementId
required
number
 
Request Body schema: application/json
required
Array of objects (CustomFieldSubmitRequestPublicV2Dto) 
Custom Fields for the Requirement. 


💎 Requires your account have the Custom Fields and Formulas feature. Contact your CSM for help upgrading.


 
Responses 
200
Successful


400
Malformed data and/or validation errors


401
Invalid Authorization


402
The required account entitlement is not enabled.


403
You are not allowed to perform this action


404
Not Found


412
You must accept the Drata terms and conditions to use the API


500
Internal server error


put/workspaces/{workspaceId}/framework-requirements/{frameworkRequirementId}
Request samples 
application/json
{
  • "customFields": [
    • {
      • "id": 1,
      • "name": "Compliance Status",
      • "value": "Security & IT"
      }
    ]
}
Response samples 
application/json
{
  • "createdAt": "2025-07-01T16:45:55.246Z",
  • "description": "The entity demonstrates a commitment to integrity and ethical values.",
  • "frameworkName": "SOC 2",
  • "frameworkPill": "SOC 2",
  • "frameworkSlug": "SOC 2",
  • "frameworkTag": "SOC_2",
  • "id": 58,
  • "name": "PI1.2",
  • "updatedAt": "2025-07-01T16:45:55.246Z",
  • "additionalInfo": "The entity demonstrates a commitment to integrity.",
  • "additionalInfo2": "The entity demonstrates a commitment to ethical values.",
  • "additionalInfo3": "The entity demonstrates a commitment to enforcing policies.",
  • "archivedAt": "2025-07-01T16:45:55.246Z",
  • "externalId": "SOC 2",
  • "longDescription": "The entity demonstrates a commitment to integrity and ethical values.",
  • "rationale": "This requirement is not needed.",
  • "category": "General Rules",
  • "controls": {
    • "data": [
      • {
        • "id": 1,
        • "code": "DCF-1001",
        • "isReady": true,
        • "controlNumber": 1,
        • "archivedAt": "2025-07-01T16:45:55.246Z"
        }
      ],
    • "totalCount": 47
    },
  • "customFields": [
    • {
      • "customFieldId": 1,
      • "name": "Stakeholders",
      • "value": "Security & IT"
      }
    ]
}
List Framework Requirements
List Requirements scoped to the specified Framework.


🔒 Requires Frameworks: List Framework Requirements permission.


Securitybearer 
Request 
path Parameters
workspaceId
required
number
The Workspace ID associated to the Account


 
frameworkId
required
number
 
query Parameters
cursor
string
This parameter is used to paginate through results. No value is needed for the first request. If there are additional results, the response will contain a pagination.cursor value that can be used in the subsequent request to retrieve the next page of results


 
size
number  [ 1 .. 500 ] 
 Default:  50
Number of results to return


 
sort
string (SortTypeLimitedEnum) 
Which field to sort by


 Enum: "createdAt" "updatedAt"  
sortDir
string (SortDirectionEnum) 
The direction to sort the data


 Enum: "ASC" "DESC"  
includeTotalCount
boolean
 Default:  false
Include total count of all matching records in response. Only honored on first page (when cursor is null).


 
 Example:  includeTotalCount=false
expand[]
Array of strings (FrameworkRequirementsExpandEnum) 
List of subcollections and sub-objects to expand. controls includes a limited subcollection of Controls mapped to each Requirement. customFields includes Custom Field values for each Requirement. framework includes a compact Framework object on each Requirement.


Items Enum: "controls" "customFields" "framework"  
isReady
boolean
Filter Requirements that are or are not ready


 
 Example:  isReady=false
isInScope
boolean
Filter Requirements that are or are not in scope (not archived)


 
 Example:  isInScope=true
excludeIds
Array of numbers
Exclude Requirements by array of IDs


 
 Example:  
Responses 
200
Successful


400
Malformed data and/or validation errors


401
Invalid Authorization


403
You are not allowed to perform this action


404
Not Found


412
You must accept the Drata terms and conditions to use the API


500
Internal server error


get/workspaces/{workspaceId}/frameworks/{frameworkId}/requirements
Request samples 
Response samples 
application/json
{
  • "data": [
    • {
      • "id": 58,
      • "code": "A.5.1.1",
      • "name": "Policies for information security",
      • "description": "A set of policies for information security shall be defined, approved, published...",
      • "category": "General Rules",
      • "additionalInfo": "Refer to ISO 27001:2022 Annex A.",
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z",
      • "framework": {
        • "id": 13,
        • "name": "NIST AI RMF",
        • "description": "The NIST AI Risk Management Framework (AI RMF) is a set of suggestions and guidelines for incorporating trustworthiness considerations in the design, development, deployment, and use of AI systems.",
        • "createdAt": "2025-07-01T16:45:55.246Z",
        • "updatedAt": "2025-07-01T16:45:55.246Z",
        • "enabledAt": "2025-07-01T16:45:55.246Z",
        • "shortName": "SOC 2",
        • "tag": "SOC_2",
        • "deletedAt": "2025-07-01T16:45:55.246Z"
        },
      • "controls": [
        • {
          • "id": 1,
          • "code": "DCF-1001",
          • "isReady": true,
          • "controlNumber": 1,
          • "archivedAt": "2025-07-01T16:45:55.246Z"
          }
        ],
      • "customFields": [
        • {
          • "customFieldId": 1,
          • "name": "Stakeholders",
          • "value": "Security & IT"
          }
        ]
      }
    ],
  • "pagination": {
    • "cursor": "string",
    • "totalCount": 0
    }
}
Create Framework Requirements
Create or update one or more Requirements on a custom Framework. Duplicate codes within a batch and unknown Control IDs cause the entire request to fail.


🔒 Requires workspaces-post-framework-requirements permission.


💎 Requires your account have the Custom Frameworks feature. Contact your CSM for help upgrading.


Securitybearer 
Request 
path Parameters
workspaceId
required
number
The Workspace ID associated to the Account


 
frameworkId
required
number
 
Request Body schema: application/json
required
required
Array of objects (CreateFrameworkRequirementRequestPublicV2Dto)   non-empty 
One or more Requirements to create on the Framework. Duplicate codes within a batch and unknown Control IDs cause the entire request to fail.


 
Responses 
201
Created


400
Malformed data and/or validation errors


401
Invalid Authorization


402
The required account entitlement is not enabled.


403
You are not allowed to perform this action


404
Not Found


412
You must accept the Drata terms and conditions to use the API


422
Unprocessable Entity


500
Internal server error


post/workspaces/{workspaceId}/frameworks/{frameworkId}/requirements
Request samples 
application/json
{
  • "data": [
    • {
      • "code": "A.5.1.1",
      • "name": "Policies for information security",
      • "description": "A set of policies for information security shall be defined, approved, published...",
      • "category": "General Rules",
      • "additionalInfo": "Refer to ISO 27001:2022 Annex A.",
      • "controlIds": [
        • 42,
        • 57
        ]
      }
    ]
}
Response samples 
application/json
{
  • "data": [
    • {
      • "id": 58,
      • "code": "A.5.1.1",
      • "name": "Policies for information security",
      • "description": "A set of policies for information security shall be defined, approved, published...",
      • "category": "General Rules",
      • "additionalInfo": "Refer to ISO 27001:2022 Annex A.",
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z",
      • "framework": {
        • "id": 13,
        • "name": "NIST AI RMF",
        • "description": "The NIST AI Risk Management Framework (AI RMF) is a set of suggestions and guidelines for incorporating trustworthiness considerations in the design, development, deployment, and use of AI systems.",
        • "createdAt": "2025-07-01T16:45:55.246Z",
        • "updatedAt": "2025-07-01T16:45:55.246Z",
        • "enabledAt": "2025-07-01T16:45:55.246Z",
        • "shortName": "SOC 2",
        • "tag": "SOC_2",
        • "deletedAt": "2025-07-01T16:45:55.246Z"
        },
      • "controls": [
        • {
          • "id": 1,
          • "code": "DCF-1001",
          • "isReady": true,
          • "controlNumber": 1,
          • "archivedAt": "2025-07-01T16:45:55.246Z"
          }
        ],
      • "customFields": [
        • {
          • "customFieldId": 1,
          • "name": "Stakeholders",
          • "value": "Security & IT"
          }
        ]
      }
    ]
}
Update Framework Requirement
Update a custom Framework Requirement, including core fields, control mappings, and Custom Field values.


🔒 Requires Frameworks: Update Framework Requirement permission.


Securitybearer 
Request 
path Parameters
workspaceId
required
number
The Workspace ID associated to the Account


 
frameworkId
required
number
 
requirementId
required
number
 
Request Body schema: application/json
required
code
string  <= 191 characters 
Unique code for this Requirement within the Framework


 
name
string  <= 30000 characters 
Human-readable name for this Requirement


 
description
string  <= 30000 characters 
Detailed description of the Requirement


 
category
string  <= 191 characters 
Category label for grouping Requirements within the Framework


 
additionalInfo
string  <= 30000 characters 
Additional information for this Requirement


 
controlIds
Array of numbers
Control IDs to map to this Requirement. Providing an empty array clears all mappings. Omitting the field leaves existing mappings unchanged. All IDs must exist within the workspace.


 
Array of objects (CustomFieldSubmitRequestPublicV2Dto) 
Custom Fields for the Requirement. 


💎 Requires your account have the Custom Fields and Formulas feature. Contact your CSM for help upgrading.


 
Responses 
200
Successful


204
No Content


400
Malformed data and/or validation errors


401
Invalid Authorization


402
The required account entitlement is not enabled.


403
You are not allowed to perform this action


404
Not Found


412
You must accept the Drata terms and conditions to use the API


422
Unprocessable Entity


500
Internal server error


put/workspaces/{workspaceId}/frameworks/{frameworkId}/requirements/{requirementId}
Request samples 
application/json
{
  • "code": "A.5.1.1",
  • "name": "Policies for information security",
  • "description": "A set of policies for information security shall be defined, approved, published...",
  • "category": "General Rules",
  • "additionalInfo": "Refer to ISO 27001:2022 Annex A.",
  • "controlIds": [
    • 42,
    • 57
    ],
  • "customFields": [
    • {
      • "id": 1,
      • "name": "Compliance Status",
      • "value": "Security & IT"
      }
    ]
}
Response samples 
application/json
{
  • "id": 58,
  • "code": "A.5.1.1",
  • "name": "Policies for information security",
  • "description": "A set of policies for information security shall be defined, approved, published...",
  • "category": "General Rules",
  • "additionalInfo": "Refer to ISO 27001:2022 Annex A.",
  • "createdAt": "2025-07-01T16:45:55.246Z",
  • "updatedAt": "2025-07-01T16:45:55.246Z",
  • "framework": {
    • "id": 13,
    • "name": "NIST AI RMF",
    • "description": "The NIST AI Risk Management Framework (AI RMF) is a set of suggestions and guidelines for incorporating trustworthiness considerations in the design, development, deployment, and use of AI systems.",
    • "createdAt": "2025-07-01T16:45:55.246Z",
    • "updatedAt": "2025-07-01T16:45:55.246Z",
    • "enabledAt": "2025-07-01T16:45:55.246Z",
    • "shortName": "SOC 2",
    • "tag": "SOC_2",
    • "deletedAt": "2025-07-01T16:45:55.246Z"
    },
  • "controls": [
    • {
      • "id": 1,
      • "code": "DCF-1001",
      • "isReady": true,
      • "controlNumber": 1,
      • "archivedAt": "2025-07-01T16:45:55.246Z"
      }
    ],
  • "customFields": [
    • {
      • "customFieldId": 1,
      • "name": "Stakeholders",
      • "value": "Security & IT"
      }
    ]
}
Update Custom Framework
Update an existing custom compliance Framework.


🔒 Requires workspaces-put-framework permission.


💎 Requires your account have the Custom Frameworks feature. Contact your CSM for help upgrading.


Securitybearer 
Request 
path Parameters
workspaceId
required
number
The Workspace ID associated to the Account


 
frameworkId
required
number
 
Request Body schema: application/json
required
name
string  <= 191 characters 
The title of the Framework


 
shortName
string  <= 16 characters 
Short label used as a pill/badge in the UI


 
description
string  <= 30000 characters 
Framework description


 
Responses 
200
Successful


400
Malformed data and/or validation errors


401
Invalid Authorization


402
The required account entitlement is not enabled.


403
You are not allowed to perform this action


404
Not Found


412
You must accept the Drata terms and conditions to use the API


422
Unprocessable Entity


500
Internal server error


put/workspaces/{workspaceId}/frameworks/{frameworkId}
Request samples 
application/json
{
  • "name": "My Updated Framework 2024",
  • "shortName": "MUF-24",
  • "description": "Updated description for the framework."
}
Response samples 
application/json
{
  • "id": 123,
  • "name": "SOC 2",
  • "description": "Report on controls at a Service Organization",
  • "slug": "soc-2",
  • "tag": "SOC_2",
  • "pill": "SOC 2",
  • "numInScopeControls": 42,
  • "numInScopeRequirements": 42,
  • "numReadyInScopeRequirements": 35,
  • "isReady": true,
  • "isEnabled": true,
  • "color": "#174880",
  • "bgColor": "#E8F4FF",
  • "activeLogo": "https://cdn.acme.com/frameworks/soc2-active.svg",
  • "inactiveLogo": "https://cdn.acme.com/frameworks/soc2-inactive.svg",
  • "createdAt": "2025-07-01T16:45:55.246Z",
  • "updatedAt": "2025-07-01T16:45:55.246Z"
}