Third-party frameworks & licensing
Last reviewed: 2026-05-13 · Owner: Millwater Consulting Ltd.
Firstlight assesses code against industry-recognised technology and security frameworks. We do not author those frameworks; they are published by the organisations named below. This page records exactly which frameworks Firstlight uses, where their canonical publications live, what licence they're published under, and how Firstlight respects each licence.
If you spot anything we should adjust, write to legal@millwater.consulting and we'll fix it on the next site refresh.
How to read this disclosure
For each framework we list:
- Canonical source — where you can read the framework in its original form.
- Copyright holder — who owns the framework's text and structure.
- Licence — the terms the framework is published under.
- How Firstlight uses it — what we take from each framework, and how that respects the licence.
We split the frameworks into three groups by how openly each one is licensed:
- Public-domain or permissive-licence sources — frameworks we can reproduce verbatim with attribution.
- Copyrighted but freely-readable sources — frameworks we can reference and summarise in our own words, but cannot copy verbatim.
- Paywalled sources — frameworks we reference by control identifier only, with our own summary descriptions; readers obtain the canonical text from the publisher.
1. Public-domain or permissive-licence frameworks
NIST publications (US Government, public domain)
- NIST SP 800-218 — Secure Software Development Framework (SSDF) v1.1
- NIST SP 800-53 Rev 5 — Security and Privacy Controls for Information Systems
- NIST Cybersecurity Framework (CSF) 2.0
- NIST AI Risk Management Framework (AI RMF 1.0) (AI 100-1)
- NIST AI 600-1 — Generative AI Profile
Canonical source. csrc.nist.gov and github.com/usnistgov/oscal-content.
Copyright. None — US Federal Government works are in the public domain in the United States (17 U.S.C. § 105).
Licence. Public domain / CC0-1.0 for the OSCAL JSON distribution.
How Firstlight uses these. We import the canonical control text from the official OSCAL JSON catalogues and reproduce the control identifiers and statements as published.
OWASP — Open Worldwide Application Security Project
- OWASP Application Security Verification Standard (ASVS) v5.0
- OWASP Software Assurance Maturity Model (SAMM) v2.1
- OWASP Top 10 for Large Language Model Applications (2025)
- OWASP Mobile Application Security Verification Standard (MASVS)
Canonical source. owasp.org and the OWASP GitHub organisation.
Copyright. © OWASP Foundation.
Licence. Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0).
How Firstlight uses these. We import the canonical control text from OWASP's official JSON / YAML distributions. We attribute OWASP as the source on the crosswalk artefact and in this disclosure. Any reader-facing copy of OWASP material that ships in a Firstlight artefact carries the CC BY-SA 4.0 notice; you are free to redistribute Firstlight's OWASP-sourced sections under the same licence.
Diátaxis — documentation framework
Canonical source. diataxis.fr and github.com/evildmp/diataxis-documentation-framework.
Copyright. © Daniele Procida.
Licence. Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0).
How Firstlight uses it. We import the four-quadrant taxonomy (tutorials, how-to guides, reference, explanation) and reference the canonical site for the full text.
arc42 — architecture documentation template
Canonical source. arc42.org and github.com/arc42/arc42-template.
Copyright. © Dr. Gernot Starke and contributors.
Licence. Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0).
How Firstlight uses it. We import the twelve-section structure and reference the canonical template for the full text.
C4 model — architecture notation
Canonical source. c4model.com
Copyright. © Simon Brown.
Licence. Creative Commons Attribution 4.0 International (CC BY 4.0).
How Firstlight uses it. We import the four-level abstraction taxonomy (System Context, Container, Component, Code) and reference the canonical site for the full text.
Prowler — open-source cloud-compliance scanner (derivative source for cloud benchmarks)
Canonical source. github.com/prowler-cloud/prowler
Copyright. © Prowler Inc. and contributors.
Licence. Apache License 2.0.
How Firstlight uses it. Prowler publishes compliance JSON files that map established benchmarks (AWS Foundational Security Best Practices, AWS / Azure / GCP CIS Foundations Benchmarks, PCI DSS v4.0 mappings, ISO 27001:2022 mappings, NIST SP 800-53 Rev 5 mappings) into a single machine-readable format. We import those JSON files as a derivative work under the Apache 2.0 licence, with attribution to Prowler Inc., and we redistribute Firstlight's transformations of those files under the same terms. Prowler's NOTICE file is preserved in frameworks/_catalogues/prowler/NOTICE.
Note: Prowler's compliance files paraphrase CIS, PCI SSC, and ISO control language under Prowler's own publication. We rely on Prowler's published terms; readers wanting the canonical source should obtain the original benchmark from CIS, PCI SSC, or ISO directly (see Section 3).
2. Copyrighted, freely-readable frameworks (reference-only)
These frameworks are published by their authors free of charge but are not licensed for redistribution. Firstlight references each by its canonical identifier and may quote short passages under fair-use principles for the purpose of mapping findings to controls. Firstlight does not redistribute the full text of these frameworks — readers should consult the canonical source.
Google Site Reliability Engineering (the SRE books)
Canonical source. sre.google/books
Copyright. © Google LLC.
Licence. Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International (CC BY-NC-ND 4.0) for the online editions. The NonCommercial term prohibits redistribution in a commercial product such as Firstlight; the NoDerivatives term prohibits substantive modification.
How Firstlight uses it. We reference the SRE practices (SLOs, error budgets, toil, on-call, postmortems, release engineering, capacity planning) by name and provide Millwater-authored summaries in our artefacts. We do not reproduce substantive passages from the SRE books. Readers who want the canonical text should read the books at the link above.
DORA — DevOps Research and Assessment
Canonical source. dora.dev
Copyright. © Google LLC.
Licence. Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International (CC BY-NC-SA 4.0) for the DORA capability catalogue.
How Firstlight uses it. We reference the four key DORA metrics (deployment frequency, lead time for changes, change-failure rate, MTTR) and the DORA capabilities by name, with our own Millwater-authored summaries. We do not redistribute the DORA report content in our commercial product.
Google SAIF — Secure AI Framework
Canonical source. saif.google and saif.google/secure-ai-framework/risks.
Copyright. © Google LLC.
Licence. All rights reserved by Google. Free to read at the canonical source; no redistribution licence has been published.
How Firstlight uses it. We reference the six SAIF elements and the named risks by their canonical labels with our own Millwater-authored descriptions, with a link back to saif.google for the canonical text.
AWS Well-Architected Framework
Canonical source. docs.aws.amazon.com/wellarchitected
Copyright. © Amazon Web Services, Inc.
Licence. Governed by the AWS Site Terms. The Framework pillar content is not redistributable verbatim outside of the AWS Well-Architected Tool.
How Firstlight uses it. We reference the six pillars (Operational Excellence, Security, Reliability, Performance Efficiency, Cost Optimisation, Sustainability) and the published questions and best practices by their canonical identifiers, with Millwater-authored short summaries. We do not redistribute the full pillar documentation. For controls that overlap with AWS Foundational Security Best Practices, we use the structured JSON published under Apache 2.0 by Prowler (Section 1 above).
Microsoft Azure Well-Architected Framework
Canonical source. learn.microsoft.com/azure/well-architected and github.com/MicrosoftDocs/well-architected.
Copyright. © Microsoft Corporation.
Licence. The repository source is published under Creative Commons Attribution 4.0 International (CC BY 4.0).
How Firstlight uses it. We parse the structured Markdown checklists from the MicrosoftDocs source repository (CC BY 4.0) and import them under attribution.
Microsoft Cloud Security Benchmark (MCSB)
Canonical source. github.com/MicrosoftDocs/SecurityBenchmarks
Copyright. © Microsoft Corporation.
Licence. Code MIT, content CC BY 4.0.
How Firstlight uses it. Same approach as Azure WA — structured import with attribution.
Google Cloud Architecture Framework
Canonical source. cloud.google.com/architecture/framework
Copyright. © Google LLC.
Licence. Creative Commons Attribution 4.0 International (CC BY 4.0) for cloud.google.com documentation.
How Firstlight uses it. We import the structured pillar content (Operational Excellence, Security, Reliability, Performance, Cost Optimisation) under attribution. For Google's SRE / DORA / SAIF material, see the separate entries above.
3. Paywalled frameworks (control IDs + Firstlight summaries)
These frameworks are sold by their publishers as paid standards. Firstlight refers to controls by their canonical identifiers, with our own Millwater-authored short summaries. We do not redistribute the standards text. Readers should purchase the canonical standards from the publisher.
ISO/IEC 27001:2022 — Information Security Management Systems
Canonical source. iso.org/standard/27001
Copyright. © International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
Licence. Standards purchased from ISO. We do not redistribute ISO text.
How Firstlight uses it. We refer to the 93 Annex A controls by their identifier (e.g. A.5.10, A.8.5) and title. For each control we include a Millwater-authored short summary in our own words. Findings tagged to an Annex A control are linked back to the canonical standard for buyers to consult.
ISO/IEC 27002:2022 — Information Security Controls (the 27001 implementation guidance)
ISO/IEC 25010:2023 — Software Product Quality
Canonical source. iso.org/standard/78176.html
Copyright. © ISO/IEC.
Same treatment as ISO 27001:2022. Firstlight refers to the eight quality characteristics and their sub-characteristics by name with Millwater-authored short summaries.
PCI DSS — Payment Card Industry Data Security Standard v4.0.1
Canonical source. pcisecuritystandards.org
Copyright. © PCI Security Standards Council, LLC.
Licence. The DSS PDF is published free of charge but is not licensed for redistribution.
How Firstlight uses it. We refer to the 12 requirements and their sub-requirements by their canonical identifier (e.g. Req. 3.4.1) and provide Millwater-authored short summaries. We do not redistribute the DSS text. For the mapping of PCI DSS controls to AWS / Azure / GCP cloud services we import the structured JSON published under Apache 2.0 by Prowler (Section 1 above).
CIS Cloud Foundations Benchmarks (AWS, Azure, GCP, Kubernetes)
Canonical source. cisecurity.org/cis-benchmarks
Copyright. © Center for Internet Security, Inc.
Licence. CIS Benchmarks are free for personal / non-commercial use under the CIS terms. Commercial use of the benchmarks requires CIS SecureSuite Membership. Firstlight does not redistribute the CIS benchmark PDFs.
How Firstlight uses it. Where a CIS-overlap benchmark is referenced inside a Firstlight finding, we use the Prowler-published derivative JSON (Apache 2.0) which paraphrases the benchmark structure. Readers wanting the canonical benchmark should download it from CIS.
How Firstlight respects share-alike obligations
Where Firstlight ships sections that incorporate content licensed under Creative Commons Attribution-ShareAlike 4.0 (OWASP, Diátaxis, arc42), those sections of Firstlight artefacts are licensed back to readers under the same licence. The compliance crosswalk and frameworks artefact sections that quote those frameworks are clearly marked, and the relevant licence URL appears at the foot of each artefact.
The remainder of the Firstlight product — the assessment engine, the platform, the customer portal, our own analysis text and findings — is the property of Millwater Consulting Ltd. and is offered under the terms of the Firstlight subscription agreement.
How to obtain the canonical frameworks
Where this disclosure says "readers should obtain the canonical standard from the publisher", the publishers are:
- NIST — free, at csrc.nist.gov.
- OWASP — free, at owasp.org.
- ISO — paid, at iso.org.
- PCI SSC — free PDF, at pcisecuritystandards.org.
- CIS — free for personal/non-commercial; SecureSuite for commercial. cisecurity.org/cis-benchmarks.
- AWS, Microsoft, Google — free at the canonical URLs listed in Section 2.
- Diátaxis — free, at diataxis.fr.
- arc42 — free, at arc42.org.
- C4 model — free, at c4model.com.
- Prowler — open source, at github.com/prowler-cloud/prowler.
Contact
For licensing questions, errors, or take-down requests: legal@millwater.consulting.
Millwater Consulting Ltd. is the publisher of Firstlight and is responsible for this disclosure. We review this page on every Firstlight release and on any material change to an upstream framework's licence terms.