cnswp-v2-controls.yaml

uuid: ed17a132-f24c-4812-8c7b-688d2421113b
metadata:
  title: Cloud Native Security Controls Catalog
  last_modified: "2024-05-10T17:16:14.472+00:00"
  version: 0.0.1
  oscal_version: 1.0.4
controls:
  - id: control-195
    class_: CNSWP-v2.0
    title: Secrets are injected at runtime, such as environment variables or as a file
    props:
      - name: section
        value: Access
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: IA-5(7) Authenticator Management | No Embedded Unencrypted Static Authenticators
      - name: x-note
        value: Need to consider key rotation requirements in id:control-197
  - id: control-196
    class_: CNSWP-v2.0
    title: Applications and workloads are explicitly authorized to communicate with each other using mutual authentication
    props:
      - name: section
        value: Access
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: IA-9 Service Identification and Authentication
      - name: zta-tenet
        value: 2 - All communication is secured regardless of network location
      - name: zta-tenet
        value: 3 - Access to individual enterprise resources is granted on a per-session basis
  - id: control-197
    class_: CNSWP-v2.0
    title: Keys are rotated frequently
    props:
      - name: section
        value: Access
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: SC-12 Cryptographic Key Establishment and Management
      - name: zta-tenet
        value: 2 - All communication is secured regardless of network location
      - name: zta-tenet
        value: 4 - Access to resources is determined by dynamic policy ...
  - id: control-198
    class_: CNSWP-v2.0
    title: Key lifespan is short
    props:
      - name: section
        value: Access
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: SC-12(3) Cryptographic Key Establishment and Management | Asymetric Key
      - name: zta-tenet
        value: 4 - Access to resources is determined by dynamic policy ...
  - id: control-199
    class_: CNSWP-v2.0
    title: Credentials and keys protecting sensitive workloads (health/finance/etc) are customer managed (e.g. generated and managed independent of a cloud service provider)
    props:
      - name: section
        value: Access
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: description
        value: KMS and HMS are common technologies to achieve this. FIPS 140-2 compliance is strongly suggested. Cloud KMS tends to be FIPS 140-2 Level 2 or greater.
      - name: refs
        value: IA-2(12) Identification and Authentication (Organizational Users) | Acceptance of PIV Credentials
      - name: zta-tenet
        value: 6 - All resource auth and authz are dynamic and strictly enforced before access is allowed
  - id: control-200
    class_: CNSWP-v2.0
    title: Authentication and authorization are determined independently
    props:
      - name: section
        value: Access
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: IA-2(6) Identification and Authentication (Organizational Users) | Access to Accounts - Separate Devices
      - name: zta-tenet
        value: 6 - All resource auth and authz are dynamic and strictly enforced before access is allowed
  - id: control-201
    class_: CNSWP-v2.0
    title: Authentication and authorization are enforced independently
    props:
      - name: section
        value: Access
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: IA-2(6) Identification and Authentication (Organizational Users) | Access to Accounts - Separate Devices
      - name: zta-tenet
        value: 6 - All resource auth and authz are dynamic and strictly enforced before access is allowed
  - id: control-202
    class_: CNSWP-v2.0
    title: Access control and file permissions are updated in real-time
    props:
      - name: section
        value: Access
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: description
        value: where possible as caching may permit unauthorized access
      - name: refs
        value: SI-4(2) System Monitoring | Automated Tools and Mechanisms for Real-Time Analysis
      - name: zta-tenet
        value: 4 - Access to resources is determined by dynamic policy ...
      - name: zta-tenet
        value: 6 - All resource auth and authz are dynamic and strictly enforced before access is allowed
  - id: control-203
    class_: CNSWP-v2.0
    title: Authorization for workloads is granted based on attributes and roles/permissions previously assigned
    props:
      - name: section
        value: Access
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: AC-3(13) Access Enforcement | Attribute-Based Access Control
      - name: zta-tenet
        value: 6 - All resource auth and authz are dynamic and strictly enforced before access is allowed
  - id: control-204
    class_: CNSWP-v2.0
    title: ABAC and RBAC are used
    props:
      - name: section
        value: Access
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: AC-3(13) Access Enforcement | Attribute-Based Access Control, AC-3(7) Access Enforcement | Role-Based Access Control
      - name: zta-tenet
        value: 6 - All resource auth and authz are dynamic and strictly enforced before access is allowed
  - id: control-205
    class_: CNSWP-v2.0
    title: End user identity is capable of being accepted, consumed, and forwarded on for contextual or dynamic authorization
    props:
      - name: section
        value: Access
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: description
        value: This can be achieved through the use of identity documents and tokens.
      - name: refs
        value: SC-7(19) Boundary Protection | Block Communication from Non-Organizationally Configured Hosts
      - name: zta-tenet
        value: 4 - Access to resources is determined by dynamic policy ...
  - id: control-206
    class_: CNSWP-v2.0
    title: All cluster and workloads operators are authenticated
    props:
      - name: section
        value: Access
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: IA-7 Cryptographic Module Authentication
      - name: zta-tenet
        value: 1 - All data sources and computing services are considered resources
      - name: zta-tenet
        value: 4 - Access to resources is determined by dynamic policy ...
  - id: control-207
    class_: CNSWP-v2.0
    title: cluster and worklods operate actions are evaluated against access control policies governing context, purpose, and output
    props:
      - name: section
        value: Access
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: IA-7 Cryptographic Module Authentication
      - name: zta-tenet
        value: 1 - All data sources and computing services are considered resources
      - name: zta-tenet
        value: 4 - Access to resources is determined by dynamic policy ...
  - id: control-208
    class_: CNSWP-v2.0
    title: Identity federation uses multi-factor authentication for human users
    props:
      - name: section
        value: Access
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: IA-2(1)(2) Identification and Authentication (organizational Users) | Multi-Factor Authenticaiton to Priviledged & Non Priveledged Accounts
      - name: zta-tenet
        value: 6 - All resource auth and authz are dynamic and strictly enforced before access is allowed
  - id: control-209
    class_: CNSWP-v2.0
    title: HSMs are used to physically protect cryptographic secrets with an encryption key residing in the HSM
    props:
      - name: section
        value: Access
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: description
        value: If this is not possible, software-based credential managers should be used.
      - name: refs
        value: AC-4(4) Information Flow Enforcement | Flow Control of Encrypted Information, SC-3(1) Security Function Isolation | Hardware Separation
      - name: x-query
        value: Is there a relevant zero trust tenet to link with HSM secret storage
      - name: x-note
        value: cryptographic secret storage
  - id: control-210
    class_: CNSWP-v2.0
    title: Secrets should have a short expiration period or time to live
    props:
      - name: section
        value: Access
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: description
        value: Leverage tool-specific capabilities of secret manager
      - name: refs
        value: SI-12 Information Management and Retention
      - name: x-note
        value: Not directly related to tenets of zero trust
  - id: control-211
    class_: CNSWP-v2.0
    title: Time to live and expiration period on secrets is verfied to prevent reuse
    props:
      - name: section
        value: Access
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: description
        value: Leverage tool-specific capabilities of secret manager
      - name: refs
        value: AC-16(3) Security and Privacy Attributes | Maintenance of Attribute Associations by System
      - name: x-note
        value: Not directly related to tenets of zero trust
  - id: control-212
    class_: CNSWP-v2.0
    title: Secrets management systems are highly available
    props:
      - name: section
        value: Access
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: SC-12(1) Cryptographic Key Establishment and Management | Availability
      - name: x-note
        value: Not directly related to tenets of zero trust
  - id: control-213
    class_: CNSWP-v2.0
    title: Long-lived secrets adhere to periodic rotation and revocation
    props:
      - name: section
        value: Access
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: description
        value: Long-lived secrets are not recommended, but some capabilities require them
      - name: refs
        value: SI-12 Information Management and Retention
      - name: x-note
        value: Not directly related to tenets of zero trust
  - id: control-214
    class_: CNSWP-v2.0
    title: Secrets are distributed through secured communication channels protected commensurate with the level of access or data they are protecting
    props:
      - name: section
        value: Access
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: AC-16 Security and Privacy Atributes
      - name: zta-tenet
        value: 2 - All communication is secured regardless of network location
  - id: control-215
    class_: CNSWP-v2.0
    title: Secrets injected are runtime are masqued or dropped from logs, audit, or system dumps
    props:
      - name: section
        value: Access
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: description
        value: Even short lived secrets may be resused if caught in time by an interested attacker. Logs, audit, and systems dumps (i.e. in-memory shared volumes instead of environment variables) are all areas where runtime injected secrets show up
      - name: refs
        value: AU-9(3) Protection of Audit Information | Cryptographic Protection
      - name: x-note
        value: Not directly related to tenets of zero trust
  - id: control-216
    class_: CNSWP-v2.0
    title: Bootstrapping is employed to verify correct physical and logical location of compute
    props:
      - name: section
        value: Compute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: description
        value: Secure Boot with TPM 2.0 or similar control
      - name: refs
        value: SI-7(9) Software, Firmware, and Information Integrity | Verify Boot Process
      - name: zta-tenet
        value: 4 - Access to resources is determined by dynamic policy ...
  - id: control-217
    class_: CNSWP-v2.0
    title: Disparate data sensitive workloads are not run on the same host OS kernel
    props:
      - name: section
        value: Compute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: description
        value: 'There are at least three implementing controls possible: workloads may be separated by running in a separate cluster, on a separate node, or by implementing pods in independent VMs. It is also possible to emulate the kernel via an application kernel (e.g. gvisor)'
      - name: refs
        value: SC-7 Boundary Protection
      - name: x-note
        value: resource isolation is not explicitly mentioned in tenets of zero trust
  - id: control-218
    class_: CNSWP-v2.0
    title: Monitor and detect any changes to the initial configurations made in runtime
    props:
      - name: section
        value: Compute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: description
        value: Preventative controls should be the primary control. Detective controls monitoring filesystem changes should be used to verify primary controls are operating properly.
      - name: refs
        value: CM-2(2) Baseline Configuration | Automation Support for Accuracy and Currency CM-3(7) Configuration Change Control | Review System Changes
      - name: zta-tenet
        value: 5 - The enterprise monitors and measures integrity / security posture ...
  - id: control-219
    class_: CNSWP-v2.0
    title: API auditing is enabled with a filter for a specific set of API Groups or verbs
    props:
      - name: section
        value: Compute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: description
        value: API audits of the application, kubernetes API server, and kernel should be implemented.
      - name: refs
        value: AU-2 Event Logging
      - name: zta-tenet
        value: 5 - The enterprise monitors and measures integrity / security posture ...
  - id: control-220
    class_: CNSWP-v2.0
    title: Container specific operating systems are in use
    props:
      - name: section
        value: Compute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: description
        value: a read-only OS with other services disabled. This provides isolation and resource confinement that enables developers to run isolated applications on a shared host kernel
      - name: refs
        value: CM-2 Baseline Configuration CM-7 Least Functionality
      - name: x-note
        value: resource isolation
  - id: control-221
    class_: CNSWP-v2.0
    title: The hardware root of trust is based in a Trusted Platform Module (TPM) or virtual TPM (vTPM)
    props:
      - name: section
        value: Compute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: description
        value: Ensure HW root of trust extends to the host OS kernel, modules, system images, container runtimes, and all software on the system.
      - name: refs
        value: SI-7 Software, Firmware, and Information Integrity
      - name: zta-tenet
        value: 4 - Access to resources is determined by dynamic policy ...
      - name: zta-tenet
        value: 6 - All resource auth and authz are dynamic and strictly enforced before access is allowed
  - id: control-222
    class_: CNSWP-v2.0
    title: Minimize administrative access to the control plane
    props:
      - name: section
        value: Compute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: description
        value: Enure both users and pods have the minimum necessary access
      - name: refs
        value: AC-6 Least Privilege
      - name: zta-tenet
        value: 6 - All resource auth and authz are dynamic and strictly enforced before access is allowed
      - name: zta-tenet
        value: 4 - Access to resources is determined by dynamic policy ...
  - id: control-223
    class_: CNSWP-v2.0
    title: Object level and resource requests and limits are controlled through cgroups
    props:
      - name: section
        value: Compute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: description
        value: helps prevent exhaustion of node and cluster level resources by one misbehaving workload due to an intentional (e.g., fork bomb attack or cryptocurrency mining) or unintentional (e.g., reading a large file in memory without input validation, horizontal autoscaling to exhaust compute resources) issue
      - name: refs
        value: SI-7(16) Software, Firmware, and Information Integrity | Time Limit on Process Execution Without Supervision, SI-7(17) Software, Firmware, and Information Integrity | Runtime Application Self-protection
      - name: zta-tenet
        value: 4 - Access to resources is determined by dynamic policy ...
  - id: control-224
    class_: CNSWP-v2.0
    title: Systems processing alerts are periodically tuned for false positives
    props:
      - name: section
        value: Compute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: description
        value: to avoid alert flooding, fatigue, and false negatives after security incidents that were not detected by the system
      - name: refs
        value: SI-4(13) System Monitoring | Analyze Traffic and Event Patterns
      - name: zta-tenet
        value: 7 - The enterprise collects as much info as possible .. to improve security posture
  - id: control-225
    class_: CNSWP-v2.0
    title: All orchestrator control plane components are configured to communicate via mutual authentication and certificate validation with a periodically rotated certificate
    props:
      - name: section
        value: Compute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: description
        value: In unfederated clusters, the CA should be used exclusively for the current cluster.
      - name: refs
        value: AC-3 Access Enforcement
      - name: zta-tenet
        value: 2 - All communication is secured regardless of network location
      - name: zta-tenet
        value: 3 - Access to individual enterprise resources is granted on a per-session basis
  - id: control-226
    class_: CNSWP-v2.0
    title: Only sanctioned capabilities and system calls (e.g. seccomp filters), are allowed to execute or be invoked in a container by the host operating system
    props:
      - name: section
        value: Compute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: description
        value: Additional tooling should be installed that go beyond k8s capabilities to limit system calls. E.g. Falco.
      - name: refs
        value: CM-2 Baseline Configuration CM-7 Least Functionality
      - name: x-note
        value: resource isolation
  - id: control-227
    class_: CNSWP-v2.0
    title: Changes to critical mount points and files are prevented, monitored, and alerted
    props:
      - name: section
        value: Compute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: CM-5 Access Restrictions for Change
      - name: x-note
        value: resource isolation
  - id: control-228
    class_: CNSWP-v2.0
    title: Runtime configuration control prevents changes to binaries, certificates, and remote access configurations
    props:
      - name: section
        value: Compute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: CM-5 Access Restrictions for Change
      - name: x-note
        value: resource isolation
  - id: control-229
    class_: CNSWP-v2.0
    title: Runtime configuration prevents ingress and egress network access for containers to only what is required to operate
    props:
      - name: section
        value: Compute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: SC-7 Boundary Protection
      - name: zta-tenet
        value: 4 - Access to resources is determined by dynamic policy ...
  - id: control-230
    class_: CNSWP-v2.0
    title: Policies are defined that restrict communications to only occur between sanctioned microservice pairs
    props:
      - name: section
        value: Compute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: SC-7 Boundary Protection
      - name: zta-tenet
        value: 4 - Access to resources is determined by dynamic policy ...
      - name: zta-tenet
        value: 6 - All resource auth and authz are dynamic and strictly enforced before access is allowed
  - id: control-231
    class_: CNSWP-v2.0
    title: Use a policy agent to control and enforce authorized, signed container images
    props:
      - name: section
        value: Compute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: CM-5 Access Restrictions for Change
      - name: zta-tenet
        value: 4 - Access to resources is determined by dynamic policy ...
  - id: control-232
    class_: CNSWP-v2.0
    title: Use a policy agent to control provenance assurance for operational workloads
    props:
      - name: section
        value: Compute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: CM-5 Access Restrictions for Change
      - name: x-note
        value: identity attestation
  - id: control-233
    class_: CNSWP-v2.0
    title: Use a service mesh that eliminates implicit trust through data-in-motion protection (i.e. confidentiality, integrity, authentication, authorization)
    props:
      - name: section
        value: Compute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: SC-7 Boundary Protection
      - name: zta-tenet
        value: 6 - All resource auth and authz are dynamic and strictly enforced before access is allowed
  - id: control-234
    class_: CNSWP-v2.0
    title: Use components that detect, track, aggregate and report system calls and network traffic from a container
    props:
      - name: section
        value: Compute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: description
        value: should be leveraged to look for unexpected or malicious behavior
      - name: refs
        value: SI-4 System Monitoring
      - name: zta-tenet
        value: 7 - The enterprise collects as much info as possible .. to improve security posture
  - id: control-235
    class_: CNSWP-v2.0
    title: Workloads should be dynamically scanned to detect malicious or insidious behavior for which no known occurrence yet exists
    props:
      - name: section
        value: Compute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: description
        value: Events such as an extended sleep command that executes data exfiltration from etcd after the workload has been running for X amount of days are not expected in the majority of environments and therefore are not included in security tests. The aspect that workloads can have time or event delayed trojan horses is only detectable by comparing to baseline expected behavior, often discovered during thorough activity and scan monitoring
      - name: refs
        value: SI-3 Malicious Code Protection
      - name: zta-tenet
        value: 7 - The enterprise collects as much info as possible .. to improve security posture
  - id: control-236
    class_: CNSWP-v2.0
    title: Environments are continuously scanned to detect new vulnerabilities in workloads
    props:
      - name: section
        value: Compute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: description
        value: Vulnerabilities are constantly being discovered, just because it wasnt vulnerable at deploy, doesn't mean it won't be vulnerable in two weeks
      - name: refs
        value: RA-5 Vulnerability Monitoring and Scanning
      - name: zta-tenet
        value: 5 - The enterprise monitors and measures integrity / security posture ...
  - id: control-237
    class_: CNSWP-v2.0
    title: Actionable audit events are generated that correlate/contextualize data from logs into "information" that can drive decision trees/incident response
    props:
      - name: section
        value: Compute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: AU-3 Content of Audit Records
      - name: zta-tenet
        value: 7 - The enterprise collects as much info as possible .. to improve security posture
  - id: control-238
    class_: CNSWP-v2.0
    title: Segregation of duties and the principle of least privilege is enforced
    props:
      - name: section
        value: Compute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: AC-6 Least Privilege
      - name: x-note
        value: resource isolation
  - id: control-239
    class_: CNSWP-v2.0
    title: Non-compliant violations are detected based on a pre-configured set of rules defined by the organization's policies
    props:
      - name: section
        value: Compute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: SI-7 Software, Firmware, and Information Integrity
      - name: zta-tenet
        value: 5 - The enterprise monitors and measures integrity / security posture ...
  - id: control-240
    class_: CNSWP-v2.0
    title: Native secret stores encrypt with keys from an external Key Management Store (KMS)
    props:
      - name: section
        value: Compute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: SC-12(3) Systems & Communication Protection
      - name: x-query
        value: relationship to zero trust?
  - id: control-241
    class_: CNSWP-v2.0
    title: Native secret stores are not configured for base64 encoding or stored in clear-text in the key-value store by default
    props:
      - name: section
        value: Compute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: description
        value: Encoding is not encryption
      - name: refs
        value: SC-12(3) Systems & Communication Protection
      - name: x-query
        value: relationship to zero trust?
  - id: control-242
    class_: CNSWP-v2.0
    title: Network traffic to malicious domains is detected and denied
    props:
      - name: section
        value: Compute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: SI-4 System Monitoring
      - name: zta-tenet
        value: 4 - Access to resources is determined by dynamic policy ...
  - id: control-243
    class_: CNSWP-v2.0
    title: Use encrypted containers for sensitive sources, methods, and data
    props:
      - name: section
        value: Compute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: SC-28 Protection of Information at Rest
      - name: x-note
        value: resource isolation
  - id: control-244
    class_: CNSWP-v2.0
    title: Use SBOMs to identify current deployments of vulnerable libraries, dependencies, and packages
    props:
      - name: section
        value: Compute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: CM-8 System Component Inventory
      - name: zta-tenet
        value: 7 - The enterprise collects as much info as possible .. to improve security posture
  - id: control-245
    class_: CNSWP-v2.0
    title: Processes must execute only functions explicitly defined in an allow list
    props:
      - name: section
        value: Compute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: CM-2 Baseline Configuration CM-7 Least Functionality
      - name: zta-tenet
        value: 4 - Access to resources is determined by dynamic policy ...
  - id: control-246
    class_: CNSWP-v2.0
    title: Functions are not be allowed to make changes to critical file system mount points
    props:
      - name: section
        value: Compute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: CM-5 Access Restrictions for Change
      - name: x-note
        value: resource isolation
  - id: control-247
    class_: CNSWP-v2.0
    title: Function access is only permitted to sanctioned services
    props:
      - name: section
        value: Compute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: description
        value: Either through networking restrictions or least privilege in permission models
      - name: refs
        value: CM-2 Baseline Configuration CM-7 Least Functionality
      - name: zta-tenet
        value: 3 - Access to individual enterprise resources is granted on a per-session basis
      - name: zta-tenet
        value: 4 - Access to resources is determined by dynamic policy ...
      - name: zta-tenet
        value: 6 - All resource auth and authz are dynamic and strictly enforced before access is allowed
  - id: control-248
    class_: CNSWP-v2.0
    title: Egress network connection is monitored to detect and prevent access to C&C (command and control) and other malicious network domains
    props:
      - name: section
        value: Compute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: SI-4 System Monitoring
      - name: zta-tenet
        value: 2 - All communication is secured regardless of network location
  - id: control-249
    class_: CNSWP-v2.0
    title: Ingress network inspection is employed detect and remove malicious payloads and commands
    props:
      - name: section
        value: Compute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: description
        value: For instance, SQL injection attacks can be detected using inspection.
      - name: refs
        value: SI-4 System Monitoring
      - name: zta-tenet
        value: 2 - All communication is secured regardless of network location
  - id: control-250
    class_: CNSWP-v2.0
    title: Serverless functions are run in tenant-based resource or performance isolation for similar data classifications
    props:
      - name: section
        value: Compute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: description
        value: This may impact the performance due to limitations in the address space available to the isolation environment and should be considered for only the most sensitive workloads.
      - name: refs
        value: SC-7(21) Boundary Protection | Isolation of System Components
      - name: x-note
        value: resource isolation
  - id: control-251
    class_: CNSWP-v2.0
    title: Trust confirmation verifies the image has a valid signature from an authorized source
    props:
      - name: section
        value: Deploy
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: SR-4 (3) PROVENANCE | VALIDATE AS GENUINE AND NOT ALTERED, SR-4 (4)  PROVENANCE | SUPPLY CHAIN INTEGRITY — PEDIGREE
      - name: x-query
        value: relationship to zero trust?
  - id: control-252
    class_: CNSWP-v2.0
    title: Image runtime policies are enforced prior to deployment
    props:
      - name: section
        value: Deploy
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: SI-7 (17) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | RUNTIME APPLICATION SELF-PROTECTION
      - name: x-query
        value: relationship to zero trust?
  - id: control-253
    class_: CNSWP-v2.0
    title: Image integrity and signature are verified prior to deployment
    props:
      - name: section
        value: Deploy
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: SR-4 (3) PROVENANCE | VALIDATE AS GENUINE AND NOT ALTERED, SR-4 (4)  PROVENANCE | SUPPLY CHAIN INTEGRITY — PEDIGREE
      - name: x-query
        value: relationship to zero trust?
  - id: control-254
    class_: CNSWP-v2.0
    title: Applications provide logs regarding authentication, authorization, actions, and failures
    props:
      - name: section
        value: Deploy
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: CM-3 CONFIGURATION CHANGE CONTROL
      - name: zta-tenet
        value: 7 - The enterprise collects as much info as possible .. to improve security posture
  - id: control-255
    class_: CNSWP-v2.0
    title: Forensics capabilities are integrated into an incident response plan and procedures
    props:
      - name: section
        value: Deploy
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: INCIDENT HANDLING | MALICIOUS CODE AND FORENSIC ANALYSIS
      - name: zta-tenet
        value: 7 - The enterprise collects as much info as possible .. to improve security posture
  - id: control-256
    class_: CNSWP-v2.0
    title: AI, ML, or statistical modeling are used for behavioural and heuristic environment analysis to detect unwanted activities
    props:
      - name: section
        value: Deploy
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: SI-3 SYSTEM AND INFORMATION INTEGRITY
      - name: zta-tenet
        value: 7 - The enterprise collects as much info as possible .. to improve security posture
  - id: control-257
    class_: CNSWP-v2.0
    title: Establish a dedicated Production environment
    props:
      - name: section
        value: Develop
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: description
        value: Ensure that production workloads are in a separate, dedicated environment from non-production workloads. In the context of containers, this can mean separate clusters. In the case of VMs, separate networks.
      - name: refs
        value: SA-3(1) SYSTEM DEVELOPMENT LIFE CYCLE | MANAGE PREPRODUCTION ENVIRONMENT
      - name: x-query
        value: relationship to zero trust?
  - id: control-258
    class_: CNSWP-v2.0
    title: Leverage Dynamic deployments
    props:
      - name: section
        value: Develop
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: description
        value: Blue/Green, Alpha/Beta, Canary, red-black deployments
      - name: refs
        value: SA-8(31) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | SECURE SYSTEM MODIFICATION
      - name: x-query
        value: relationship to zero trust?
  - id: control-259
    class_: CNSWP-v2.0
    title: Integrate vulnerability and configuration scanning in both the IDE and at the CI system during pull request
    props:
      - name: section
        value: Develop
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: SA-11(1) DEVELOPER TESTING AND EVALUATION | STATIC CODE ANALYSIS
      - name: zta-tenet
        value: 7 - The enterprise collects as much info as possible .. to improve security posture
  - id: control-260
    class_: CNSWP-v2.0
    title: Establish dedicated development, testing, and production environment
    props:
      - name: section
        value: Develop
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: SA-15 DEVELOPMENT PROCESS, STANDARDS, AND TOOLS
      - name: x-query
        value: relationship to zero trust?
  - id: control-261
    class_: CNSWP-v2.0
    title: Build tests for business-critical code
    props:
      - name: section
        value: Develop
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: SA-11 DEVELOPER TESTING AND EVALUATION
      - name: x-query
        value: relationship to zero trust?
  - id: control-262
    class_: CNSWP-v2.0
    title: Build tests for business-critical infrastructure
    props:
      - name: section
        value: Develop
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: SA-11 DEVELOPER TESTING AND EVALUATION
      - name: x-query
        value: relationship to zero trust?
  - id: control-263
    class_: CNSWP-v2.0
    title: Test suite able to be ran locally
    props:
      - name: section
        value: Develop
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: SA-11 DEVELOPER TESTING AND EVALUATION
      - name: x-query
        value: relationship to zero trust?
  - id: control-264
    class_: CNSWP-v2.0
    title: Test suites should be available to run in a shared environment
    props:
      - name: section
        value: Develop
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: SA-11 DEVELOPER TESTING AND EVALUATION
      - name: x-query
        value: relationship to zero trust?
  - id: control-265
    class_: CNSWP-v2.0
    title: Implement at least one other non-author reviewer/approver prior to merging
    props:
      - name: section
        value: Develop
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: SA-11(4) DEVELOPER TESTING AND EVALUATION | MANUAL CODE REVIEWS
      - name: x-query
        value: relationship to zero trust?
  - id: control-266
    class_: CNSWP-v2.0
    title: Code should be clean and well commented
    props:
      - name: section
        value: Develop
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: x-note
        value: software quality
      - name: x-query
        value: relationship to zero trust?
  - id: control-267
    class_: CNSWP-v2.0
    title: Full infrastructure tests are used
    props:
      - name: section
        value: Develop
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: SA-11 DEVELOPER TESTING AND EVALUATION
      - name: x-note
        value: software quality
  - id: control-268
    class_: CNSWP-v2.0
    title: Regression tests are used
    props:
      - name: section
        value: Develop
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: SA-11 DEVELOPER TESTING AND EVALUATION
      - name: x-note
        value: software quality
  - id: control-269
    class_: CNSWP-v2.0
    title: Test suites are updated against new and emerging threats and developed into security regressions tests
    props:
      - name: section
        value: Develop
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: SA-11 DEVELOPER TESTING AND EVALUATION
      - name: x-note
        value: software quality feedback loop
  - id: control-270
    class_: CNSWP-v2.0
    title: Establish a dedicated Testing environment
    props:
      - name: section
        value: Develop
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: SA-3(1) SYSTEM DEVELOPMENT LIFE CYCLE | MANAGE PREPRODUCTION ENVIRONMENT
      - name: x-note
        value: software quality
  - id: control-271
    class_: CNSWP-v2.0
    title: Continuous integration server is isolated and hardened
    props:
      - name: section
        value: Develop
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: SC-39 PROCESS ISOLATION
      - name: zta-tenet
        value: 1 - All data sources and computing services are considered resources
      - name: x-note
        value: Development infrastructure is a zero trust resource
  - id: control-272
    class_: CNSWP-v2.0
    title: Use threat model results to determine ROI for test development
    props:
      - name: section
        value: Develop
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: SA-11(2) DEVELOPER TESTING AND EVALUATION | THREAT MODELING AND VULNERABILITY ANALYSES
      - name: x-note
        value: software quality feedback loop
  - id: control-273
    class_: CNSWP-v2.0
    title: Implement secure configuration as the default state of the system
    props:
      - name: section
        value: Develop
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: description
        value: Transitioning towards such a system involves making security a design requirement, inheriting default security configuration and supporting an exception process
      - name: refs
        value: SA-8(23) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | SECURE DEFAULTS
      - name: zta-tenet
        value: 2 - All communication is secured regardless of network location
  - id: control-274
    class_: CNSWP-v2.0
    title: Should software artifacts become untrusted due to compromise or other incident, teams should revoke signing keys to ensure repudiation
    props:
      - name: section
        value: Distribute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: zta-tenet
        value: 5 - The enterprise monitors and measures integrity / security posture ...
  - id: control-275
    class_: CNSWP-v2.0
    title: Artifacts ready for deployment are managed in a staging or pre-prod registry
    props:
      - name: section
        value: Distribute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: zta-tenet
        value: 1 - All data sources and computing services are considered resources
  - id: control-276
    class_: CNSWP-v2.0
    title: container images are hardened following best practices
    props:
      - name: section
        value: Distribute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: description
        value: Images contain least permissions to remain functional, do not allow for shell, do not include unnecessary libraries and dependencies, do not bind mount files in from the host, etc.
      - name: x-note
        value: data security
  - id: control-277
    class_: CNSWP-v2.0
    title: Static application security testing (SAST) is performed
    props:
      - name: section
        value: Distribute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: description
        value: Static analysis is performed by dedicated SAST tools as well as linters
      - name: zta-tenet
        value: 7 - The enterprise collects as much info as possible .. to improve security posture
  - id: control-278
    class_: CNSWP-v2.0
    title: Test suites follow the test pyramid
    props:
      - name: section
        value: Distribute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: x-note
        value: software quality
  - id: control-279
    class_: CNSWP-v2.0
    title: Artifacts undergoing active development are held in a private registery
    props:
      - name: section
        value: Distribute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: zta-tenet
        value: 1 - All data sources and computing services are considered resources
  - id: control-280
    class_: CNSWP-v2.0
    title: Scan application manifests in CI pipeline
    props:
      - name: section
        value: Distribute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: RA-5 VULNERABILITY MONITORING AND SCANNING
      - name: zta-tenet
        value: 7 - The enterprise collects as much info as possible .. to improve security posture
  - id: control-281
    class_: CNSWP-v2.0
    title: CI server's for sensitive workloads are isolated from other workloads
    props:
      - name: section
        value: Distribute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: SC-39 PROCESS ISOLATION
      - name: zta-tenet
        value: 1 - All data sources and computing services are considered resources
  - id: control-282
    class_: CNSWP-v2.0
    title: Builds requiring elevated privileges must run on dedicated servers
    props:
      - name: section
        value: Distribute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: SC-39 PROCESS ISOLATION
      - name: zta-tenet
        value: 1 - All data sources and computing services are considered resources
  - id: control-283
    class_: CNSWP-v2.0
    title: Build policies are enforced on the CI pipeline
    props:
      - name: section
        value: Distribute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: SA-1 POLICY AND PROCEDURES
      - name: x-note
        value: software quality
  - id: control-284
    class_: CNSWP-v2.0
    title: Sign pipeline metadata
    props:
      - name: section
        value: Distribute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY
      - name: x-note
        value: software quality
  - id: control-285
    class_: CNSWP-v2.0
    title: Build stages are verified prior to the next stage executing
    props:
      - name: section
        value: Distribute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY
      - name: x-note
        value: software quality
  - id: control-286
    class_: CNSWP-v2.0
    title: Images are scanned within the CI pipeline
    props:
      - name: section
        value: Distribute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: RA-5 VULNERABILITY MONITORING AND SCANNING, SA-3 SYSTEM DEVELOPMENT LIFE CYCLE
      - name: zta-tenet
        value: 7 - The enterprise collects as much info as possible .. to improve security posture
  - id: control-287
    class_: CNSWP-v2.0
    title: Vulnerability scans are coupled with pipeline compliance rules
    props:
      - name: section
        value: Distribute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: description
        value: Prevent insecure images and artifacts from being deployed
      - name: refs
        value: SA-1 POLICY AND PROCEDURES
      - name: zta-tenet
        value: 7 - The enterprise collects as much info as possible .. to improve security posture
  - id: control-288
    class_: CNSWP-v2.0
    title: Dynamic application security testing (DAST) is performed
    props:
      - name: section
        value: Distribute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: SA-11 (8) & (9) INTERACTIVE APPLICATION SECURITY TESTING
      - name: zta-tenet
        value: 5 - The enterprise monitors and measures integrity / security posture ...
  - id: control-289
    class_: CNSWP-v2.0
    title: Application instrumentation is employed
    props:
      - name: section
        value: Distribute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: SI-4 SYSTEM MONITORING
      - name: zta-tenet
        value: 7 - The enterprise collects as much info as possible .. to improve security posture
  - id: control-290
    class_: CNSWP-v2.0
    title: Automated test results map back to requirements
    props:
      - name: section
        value: Distribute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: description
        value: Requirements include feature, function, security, and complaince
      - name: x-note
        value: software quality feedback loop
  - id: control-291
    class_: CNSWP-v2.0
    title: Infrastructure security tests must be employed
    props:
      - name: section
        value: Distribute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: description
        value: firewall rules open to the world, overprivileged Identity & Access Management (IAM) policies, unauthenticated endpoints, etc
      - name: x-note
        value: software quality
  - id: control-292
    class_: CNSWP-v2.0
    title: Tests to verify the security health are executed at time of build and at time of deploy
    props:
      - name: section
        value: Distribute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: description
        value: to evaluate any changes or regressions that may have occurred throughout the lifecycle.
      - name: refs
        value: SI-4 SYSTEM MONITORING
      - name: zta-tenet
        value: 5 - The enterprise monitors and measures integrity / security posture ...
  - id: control-293
    class_: CNSWP-v2.0
    title: IaC is subject to the same pipeline policy controls as application code
    props:
      - name: section
        value: Distribute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: zta-tenet
        value: 1 - All data sources and computing services are considered resources
  - id: control-294
    class_: CNSWP-v2.0
    title: Security testing is automated
    props:
      - name: section
        value: Distribute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: SA-11 DEVELOPER TESTING AND EVALUATION, CA-8 PENETRATION TESTING
      - name: zta-tenet
        value: 5 - The enterprise monitors and measures integrity / security posture ...
  - id: control-295
    class_: CNSWP-v2.0
    title: Registries require mutually authenticated TLS for all registry connections
    props:
      - name: section
        value: Distribute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: IA-3(1) CRYPTOGRAPHIC BIDIRECTIONAL AUTHENTICATION
      - name: zta-tenet
        value: 6 - All resource auth and authz are dynamic and strictly enforced before access is allowed
  - id: control-296
    class_: CNSWP-v2.0
    title: Image and metadata are signed
    props:
      - name: section
        value: Distribute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY
      - name: zta-tenet
        value: 4 - Access to resources is determined by dynamic policy ...
  - id: control-297
    class_: CNSWP-v2.0
    title: Workload-related configuration is signed
    props:
      - name: section
        value: Distribute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY
      - name: zta-tenet
        value: 4 - Access to resources is determined by dynamic policy ...
  - id: control-298
    class_: CNSWP-v2.0
    title: Workload-related package is signed
    props:
      - name: section
        value: Distribute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY
      - name: zta-tenet
        value: 4 - Access to resources is determined by dynamic policy ...
  - id: control-299
    class_: CNSWP-v2.0
    title: Validate integrity of images
    props:
      - name: section
        value: Distribute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: SI-7 SYSTEM & INFORMATION INTEGRITY
      - name: zta-tenet
        value: 5 - The enterprise monitors and measures integrity / security posture ...
  - id: control-300
    class_: CNSWP-v2.0
    title: Scan images for vulnerabilities and malware
    props:
      - name: section
        value: Distribute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: RA-5 VULNERABILITY MONITORING AND SCANNING, SA-3 SYSTEM DEVELOPMENT LIFE CYCLE
      - name: zta-tenet
        value: 5 - The enterprise monitors and measures integrity / security posture ...
  - id: control-301
    class_: CNSWP-v2.0
    title: Enable image signing key revokation in the event of compromise
    props:
      - name: section
        value: Distribute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: SI-7 SYSTEM & INFORMATION INTEGRITY
      - name: zta-tenet
        value: 4 - Access to resources is determined by dynamic policy ...
      - name: zta-tenet
        value: 6 - All resource auth and authz are dynamic and strictly enforced before access is allowed
  - id: control-302
    class_: CNSWP-v2.0
    title: Security updates are prioritized
    props:
      - name: section
        value: Distribute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: SI-2(3) SYSTEM & INFORMATION INTEGRITY
      - name: zta-tenet
        value: 7 - The enterprise collects as much info as possible .. to improve security posture
  - id: control-303
    class_: CNSWP-v2.0
    title: HSMs or credential managers should be used for protecting credentials. If this is not possible, software-based credential managers should be used.
    props:
      - name: section
        value: Distribute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: SC-12(3) SYSTEMS & COMMUNICATION PROTECTION
      - name: x-note
        value: cryptographic secret storage
  - id: control-304
    class_: CNSWP-v2.0
    title: Container image scanning findings are acted upon
    props:
      - name: section
        value: Distribute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: SI-2(3) SYSTEM & INFORMATION INTEGRITY
      - name: zta-tenet
        value: 7 - The enterprise collects as much info as possible .. to improve security posture
  - id: control-305
    class_: CNSWP-v2.0
    title: Organizational compliance rules are enforced
    props:
      - name: section
        value: Distribute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: PL-1 POLICY AND PROCEDURES
      - name: x-query
        value: relationship to zero trust?
  - id: control-306
    class_: CNSWP-v2.0
    title: Incremental hardening of the infrastructure is employed
    props:
      - name: section
        value: Distribute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: zta-tenet
        value: 7 - The enterprise collects as much info as possible .. to improve security posture
  - id: control-307
    class_: CNSWP-v2.0
    title: pulls from public registries are controlled and only from authorized engineers or internal registries
    props:
      - name: section
        value: Distribute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: AC-6(3) LEAST PRIVILEGE | NETWORK ACCESS TO PRIVILEGED COMMANDS
      - name: zta-tenet
        value: 6 - All resource auth and authz are dynamic and strictly enforced before access is allowed
      - name: zta-tenet
        value: 2 - All communication is secured regardless of network location
      - name: zta-tenet
        value: 4 - Access to resources is determined by dynamic policy ...
  - id: control-308
    class_: CNSWP-v2.0
    title: Image encryption is coupled with key management attestation and/or authorization and credential distribution
    props:
      - name: section
        value: Distribute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: description
        value: This restricts the image to only be deployed to authorized platforms. Container image authorization is useful for compliance use cases such as geo-fencing or export control and digital rights media management
      - name: refs
        value: SC-12(2) CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | SYMMETRIC & ASYMMETRIC KEYS, SC-12(3) CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | SYMMETRIC & ASYMMETRIC KEYS
      - name: zta-tenet
        value: 6 - All resource auth and authz are dynamic and strictly enforced before access is allowed
  - id: control-309
    class_: CNSWP-v2.0
    title: At-risk applications are prioritized for remediation by the exploit maturity and vulnerable path presence in addition to the CVSS score
    props:
      - name: section
        value: Distribute
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: SI-2(3) SYSTEM & INFORMATION INTEGRITY
      - name: zta-tenet
        value: 7 - The enterprise collects as much info as possible .. to improve security posture
  - id: control-310
    class_: CNSWP-v2.0
    title: Network policies enforce east-west network communication within the container deployment is limited to only that which is authorized for access
    props:
      - name: section
        value: Security Assurance
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: AC-6(3) LEAST PRIVILEGE | NETWORK ACCESS TO PRIVILEGED COMMANDS
      - name: zta-tenet
        value: 2 - All communication is secured regardless of network location
      - name: zta-tenet
        value: 4 - Access to resources is determined by dynamic policy ...
      - name: zta-tenet
        value: 6 - All resource auth and authz are dynamic and strictly enforced before access is allowed
      - name: zta-tenet
        value: 4 - Access to resources is determined by dynamic policy ...
  - id: control-311
    class_: CNSWP-v2.0
    title: Incident reponse considers cloud native workloads
    props:
      - name: section
        value: Security Assurance
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: description
        value: workloads which may not always conform with some underlying assumptions about node isolation (new pod instances could run on a different server), networking (e.g. IP addresses are assigned dynamically) and immutability (e.g. runtime changes to container are not persisted across restarts)
      - name: refs
        value: IR-4 INCIDENT HANDLING | AUTOMATED INCIDENT HANDLING PROCESSES, IR-4(5) INCIDENT HANDLING | AUTOMATIC DISABLING OF SYSTEM, CA-7 CONTINUOUS MONITORING
      - name: zta-tenet
        value: 1 - All data sources and computing services are considered resources
  - id: control-312
    class_: CNSWP-v2.0
    title: Incident response accounts for appropriate evidence handling and collection of coud native workloads
    props:
      - name: section
        value: Security Assurance
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: IR-5(1) INCIDENT MONITORING | AUTOMATED TRACKING, DATA COLLECTION, AND ANALYSIS
      - name: zta-tenet
        value: 7 - The enterprise collects as much info as possible .. to improve security posture
  - id: control-313
    class_: CNSWP-v2.0
    title: Rootless builds are employed
    props:
      - name: section
        value: Security Assurance
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: x-note
        value: resource isolation
  - id: control-314
    class_: CNSWP-v2.0
    title: cgroups and system groups are used to isolate workloads and deployments
    props:
      - name: section
        value: Security Assurance
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: zta-tenet
        value: 4 - Access to resources is determined by dynamic policy ...
      - name: x-note
        value: resource isolation
  - id: control-315
    class_: CNSWP-v2.0
    title: MAC implementations are employed
    props:
      - name: section
        value: Security Assurance
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: description
        value: SELinux, AppArmor
      - name: refs
        value: AC-3(3) ACCESS ENFORCEMENT | MANDATORY ACCESS CONTROL
      - name: zta-tenet
        value: 6 - All resource auth and authz are dynamic and strictly enforced before access is allowed
      - name: zta-tenet
        value: 4 - Access to resources is determined by dynamic policy ...
  - id: control-316
    class_: CNSWP-v2.0
    title: Threat model code and infrastructure
    props:
      - name: section
        value: Security Assurance
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: description
        value: While various strategies are available, the MITRE ATT&CK matrix is an excellent starting point
      - name: refs
        value: SA-11(2) DEVELOPER TESTING AND EVALUATION | THREAT MODELING AND VULNERABILITY ANALYSES
      - name: zta-tenet
        value: 7 - The enterprise collects as much info as possible .. to improve security posture
  - id: control-317
    class_: CNSWP-v2.0
    title: Entities are able to independently authenticate other identities
    props:
      - name: section
        value: Security Assurance
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: description
        value: Public Key Infrastructure
      - name: refs
        value: IA-9 SERVICE IDENTIFICATION AND AUTHENTICATION
      - name: zta-tenet
        value: 4 - Access to resources is determined by dynamic policy ...
      - name: zta-tenet
        value: 6 - All resource auth and authz are dynamic and strictly enforced before access is allowed
      - name: zta-tenet
        value: 4 - Access to resources is determined by dynamic policy ...
  - id: control-318
    class_: CNSWP-v2.0
    title: Each entity can create proof of who the identity is
    props:
      - name: section
        value: Security Assurance
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: IA-9 SERVICE IDENTIFICATION AND AUTHENTICATION
      - name: zta-tenet
        value: 1 - All data sources and computing services are considered resources
      - name: x-note
        value: identity attestation
  - id: control-319
    class_: CNSWP-v2.0
    title: Orchestrator is running on an a trusted OS, BIOS, etc
    props:
      - name: section
        value: Security Assurance
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: CM-14 SIGNED COMPONENTS
      - name: zta-tenet
        value: 1 - All data sources and computing services are considered resources
      - name: zta-tenet
        value: 7 - The enterprise collects as much info as possible .. to improve security posture
  - id: control-320
    class_: CNSWP-v2.0
    title: Orchestrator verifies the claims of a container
    props:
      - name: section
        value: Security Assurance
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: SI-6 SECURITY AND PRIVACY FUNCTION VERIFICATION
      - name: zta-tenet
        value: 4 - Access to resources is determined by dynamic policy ...
  - id: control-321
    class_: CNSWP-v2.0
    title: Orchestrator network policies are used in conjunction with a service mesh
    props:
      - name: section
        value: Security Assurance
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: zta-tenet
        value: 3 - Access to individual enterprise resources is granted on a per-session basis
  - id: control-322
    class_: CNSWP-v2.0
    title: Adhere to supply chain security best practices
    props:
      - name: section
        value: Security Assurance
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: description
        value: The SSCP controls in this document provide the necessary controls for best practices
      - name: zta-tenet
        value: 1 - All data sources and computing services are considered resources
  - id: control-323
    class_: CNSWP-v2.0
    title: Restrict access to repository and branches
    props:
      - name: section
        value: Security Assurance
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: description
        value: The 'Security the Source Code' SSCP controls provide the necessary GitOps best practices
      - name: zta-tenet
        value: 4 - Access to resources is determined by dynamic policy ...
  - id: control-324
    class_: CNSWP-v2.0
    title: Never store unencrypted credentials or secrets in the Git repository and block sensitive data being pushed to Git
    props:
      - name: section
        value: Security Assurance
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: description
        value: The 'Security the Source Code' SSCP controls provide the necessary GitOps best practices
      - name: x-note
        value: cryptographic secret storage
  - id: control-325
    class_: CNSWP-v2.0
    title: Enforce strong identity with GPG Signed Commits, to give accountability and traceability
    props:
      - name: section
        value: Security Assurance
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: description
        value: The 'Security the Source Code' SSCP controls provide the necessary GitOps best practices
      - name: zta-tenet
        value: 5 - The enterprise monitors and measures integrity / security posture ...
  - id: control-326
    class_: CNSWP-v2.0
    title: Require linear history and maintain a commit history by disallowing force pushes
    props:
      - name: section
        value: Security Assurance
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: description
        value: The 'Security the Source Code' SSCP controls provide the necessary GitOps best practices
      - name: zta-tenet
        value: 5 - The enterprise monitors and measures integrity / security posture ...
  - id: control-327
    class_: CNSWP-v2.0
    title: Enforce branching policy. Especially protect the main branch and require code review before merging
    props:
      - name: section
        value: Security Assurance
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: description
        value: The 'Security the Source Code' SSCP controls provide the necessary GitOps best practices
      - name: zta-tenet
        value: 5 - The enterprise monitors and measures integrity / security posture ...
  - id: control-328
    class_: CNSWP-v2.0
    title: Monitor for vulnerabilities, and keep Git and GitOps tools up to date
    props:
      - name: section
        value: Security Assurance
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: description
        value: The 'Security the Source Code' SSCP controls provide the necessary GitOps best practices
      - name: zta-tenet
        value: 7 - The enterprise collects as much info as possible .. to improve security posture
  - id: control-329
    class_: CNSWP-v2.0
    title: Rotate SSH keys and Personal Access Tokens, block unauthorized access to Git repositories
    props:
      - name: section
        value: Security Assurance
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: description
        value: The 'Security the Source Code' SSCP controls provide the necessary GitOps best practices
      - name: zta-tenet
        value: 3 - Access to individual enterprise resources is granted on a per-session basis
  - id: control-330
    class_: CNSWP-v2.0
    title: Utilize a dedicated non-user technical account for access where credentials are frequently rotated and short-lived
    props:
      - name: section
        value: Security Assurance
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: description
        value: The 'Security the Source Code' SSCP controls provide the necessary GitOps best practices
      - name: zta-tenet
        value: 3 - Access to individual enterprise resources is granted on a per-session basis
  - id: control-331
    class_: CNSWP-v2.0
    title: Limit users who can elevate permissions to remove security features to cover their tracks via deletion of audit trails and silencing of alerts
    props:
      - name: section
        value: Security Assurance
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: description
        value: The 'Security the Source Code' SSCP controls provide the necessary GitOps best practices
      - name: zta-tenet
        value: 4 - Access to resources is determined by dynamic policy ...
  - id: control-332
    class_: CNSWP-v2.0
    title: Storage control plane management interface requires mutual authentication and TLS for connections
    props:
      - name: section
        value: Storage
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: SC-8 TRANSMISSION CONFIDENTIALITY AND INTEGRITY
      - name: zta-tenet
        value: 2 - All communication is secured regardless of network location
  - id: control-333
    class_: CNSWP-v2.0
    title: Data availability is achieved through parity or mirroring, erasure coding or replicas
    props:
      - name: section
        value: Storage
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: SI-13 PREDICTABLE FAILURE PREVENTION
      - name: x-note
        value: high availability
  - id: control-334
    class_: CNSWP-v2.0
    title: Hashing and checksums are added to blocks, objects or files
    props:
      - name: section
        value: Storage
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: description
        value: primarily designed to detect and recover from corrupted data, but can also add a layer of protection against the tampering of data.
      - name: refs
        value: CM-7 LEAST FUNCTIONALITY, SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY
      - name: x-note
        value: data integrity
      - name: zta-tenet
        value: 7 - The enterprise collects as much info as possible .. to improve security posture
  - id: control-335
    class_: CNSWP-v2.0
    title: Data backup storage and data source storage should have same security controls
    props:
      - name: section
        value: Storage
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: SA-9 EXTERNAL SYSTEM SERVICES, SC-30 CONCEALMENT AND MISDIRECTION
      - name: x-note
        value: data security
      - name: zta-tenet
        value: 4 - Access to resources is determined by dynamic policy ...
  - id: control-336
    class_: CNSWP-v2.0
    title: Secure erasure adhering to OPAL standards is employed for returned or non-functional devices
    props:
      - name: section
        value: Storage
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: CP-9 SYSTEM BACKUP, MP-6 MEDIA SANITIZATION
      - name: x-query
        value: resource lifecycle management?
  - id: control-337
    class_: CNSWP-v2.0
    title: Encryption at rest considers data path, size, and frequency of access when determing additional security protections and cryptographic algorithms to employ
    props:
      - name: section
        value: Storage
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: description
        value: The encryption may be implemented in the storage client or storage server and granularity of the encryption will vary by system (e.g. per volume, per group or global keys)
      - name: refs
        value: SC-28 PROTECTION OF INFORMATION AT REST
      - name: x-note
        value: encryption at rest
  - id: control-338
    class_: CNSWP-v2.0
    title: Caching is considered for determining encryption requirements in archictures
    props:
      - name: section
        value: Storage
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: x-note
        value: data security
  - id: control-339
    class_: CNSWP-v2.0
    title: Namespaces have defined trust boundaries to cordon access to volumes
    props:
      - name: section
        value: Storage
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: x-note
        value: data security
  - id: control-340
    class_: CNSWP-v2.0
    title: Security policies are used to prevent containers from accessing volume mounts on worker nodes
    props:
      - name: section
        value: Storage
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: SC-7 BOUNDARY PROTECTION, SA-8 SECURITY AND PRIVACY ENGINEERING PRINCIPLES, CM-6 CONFIGURATION SETTINGS
      - name: zta-tenet
        value: 3 - Access to individual enterprise resources is granted on a per-session basis
      - name: zta-tenet
        value: 4 - Access to resources is determined by dynamic policy ...
      - name: x-note
        value: data security
  - id: control-341
    class_: CNSWP-v2.0
    title: Security policies are used enforce authorized worker node access to volumes
    props:
      - name: section
        value: Storage
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: SC-7 BOUNDARY PROTECTION, SA-8 SECURITY AND PRIVACY ENGINEERING PRINCIPLES, CM-6 CONFIGURATION SETTINGS
      - name: zta-tenet
        value: 3 - Access to individual enterprise resources is granted on a per-session basis
      - name: x-note
        value: data security
      - name: zta-tenet
        value: 1 - All data sources and computing services are considered resources
  - id: control-342
    class_: CNSWP-v2.0
    title: Volume UID and GID are inaccessible to containers
    props:
      - name: section
        value: Storage
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: AC-4 INFORMATION FLOW ENFORCEMENT, AC-16 SECURITY AND PRIVACY ATTRIBUTES, SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY
      - name: x-note
        value: data security
  - id: control-343
    class_: CNSWP-v2.0
    title: Artifact registry supports OCI artifacts
    props:
      - name: section
        value: Storage
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: x-note
        value: identity attestation
  - id: control-344
    class_: CNSWP-v2.0
    title: Artifact registry supports signed artifacts
    props:
      - name: section
        value: Storage
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: CM-14 SIGNED COMPONENTS
      - name: x-note
        value: identity attestation
  - id: control-345
    class_: CNSWP-v2.0
    title: Artifact registry verifies artifacts against organizational policies
    props:
      - name: section
        value: Storage
      - name: assurance-level
        value: N/A
      - name: risk-categories
        value: N/A
      - name: refs
        value: AU-10 NON-REPUDIATION, CM-6 CONFIGURATION SETTINGS
      - name: x-note
        value: identity attestation