| A | B | C | D | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z | AA | AB | AC | ||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | ID | Originating Document | Section | Control Title | NIST SP800-53r5 references | Assurance Level | Risk Categories | ||||||||||||||||||||||
2 | 1 | CNSWP v1.0 | Access | Secrets are injected at runtime | IA-5(7) Authenticator Management | No Embedded Unencrypted Static Authenticators | N/A | N/A | ||||||||||||||||||||||
3 | 2 | CNSWP v1.0 | Access | Applications and workloads are explicitly authorized to communicate with each other using mutual authentication | IA-9 Service Identification and Authentication | N/A | N/A | ||||||||||||||||||||||
4 | 3 | CNSWP v1.0 | Access | Keys are rotated frequently | SC-12 Cryptographic Key Establishment and Management | N/A | N/A | ||||||||||||||||||||||
5 | 4 | CNSWP v1.0 | Access | Key lifespan is short | SC-12(3) Cryptographic Key Establishment and Management | Asymetric Key | N/A | N/A | ||||||||||||||||||||||
6 | 5 | CNSWP v1.0 | Access | Credentials and keys protecting sensitive workloads (health/finance/etc) are generated and managed independent of a cloud service provider | IA-2(12) Identification and Authentication (Organizational Users) | Acceptance of PIV Credentials | N/A | N/A | ||||||||||||||||||||||
7 | 6 | CNSWP v1.0 | Access | Authentication and authorization are determined independently | IA-2(6) Identification and Authentication (Organizational Users) | Access to Accounts - Separate Devices | N/A | N/A | ||||||||||||||||||||||
8 | 7 | CNSWP v1.0 | Access | Authentication and authorization are enforced independently | IA-2(6) Identification and Authentication (Organizational Users) | Access to Accounts - Separate Devices | N/A | N/A | ||||||||||||||||||||||
9 | 8 | CNSWP v1.0 | Access | access control and file permissions are updated in real-time | SI-4(2) System Monitoring | Automated Tools and Mechanisms for Real-Time Analysis | N/A | N/A | ||||||||||||||||||||||
10 | 9 | CNSWP v1.0 | Access | authorization for workloads is granted based on attributs and roles/permissions previously assigned | AC-3(13) Access Enforcement | Attribute-Based Access Control | N/A | N/A | ||||||||||||||||||||||
11 | 10 | CNSWP v1.0 | Access | ABAC and RBAC are used | AC-3(13) Access Enforcement | Attribute-Based Access Control AC-3(7) Access Enforcement | Role-Based Access Control | N/A | N/A | ||||||||||||||||||||||
12 | 11 | CNSWP v1.0 | Access | End user identity is capable of being accepted, consumed, and forwarded on for contextual or dynamic authorization | SC-7(19) Boundary Protection | Block Communication from Non-Organizationally Configured Hosts | N/A | N/A | ||||||||||||||||||||||
13 | 12 | CNSWP v1.0 | Access | All cluster and workloads operators are authenticated | IA-7 Cryptographic Module Authentication | N/A | N/A | ||||||||||||||||||||||
14 | 13 | CNSWP v1.0 | Access | cluster and worklods operate actions are evaluated against access control policies governing context, purpose, and output | IA-7 Cryptographic Module Authentication | N/A | N/A | ||||||||||||||||||||||
15 | 14 | CNSWP v1.0 | Access | Identity federation uses multi-factor authentication | IA-2(1)(2) Identification and Authentication (organizational Users) | Multi-Factor Authenticaiton to Priviledged & Non Priveledged Accounts | N/A | N/A | ||||||||||||||||||||||
16 | 15 | CNSWP v1.0 | Access | HSMs are used to physically protect cryptographic secrets with an encryption key residing in the HSM | AC-4(4) Information Flow Enforcement | Flow Control of Encrypted Information SC-3(1) Security Function Isolation | Hardware Separation | N/A | N/A | ||||||||||||||||||||||
17 | 16 | CNSWP v1.0 | Access | Secrets should have a short expiration period or time to live | SI-12 Information Management and Retention | N/A | N/A | ||||||||||||||||||||||
18 | 17 | CNSWP v1.0 | Access | time to live and expiration period on secrets is verfied to prevent reuse | AC-16(3) Security and Privacy Attributes | Maintenance of Attribute Associations by System | N/A | N/A | ||||||||||||||||||||||
19 | 18 | CNSWP v1.0 | Access | secrets management systems are highly available | SC-12(1) Cryptographic Key Establishment and Management | Availability | N/A | N/A | ||||||||||||||||||||||
20 | 19 | CNSWP v1.0 | Access | long-lived secrets adhere to periodic rotation and revocation | SI-12 Information Management and Retention | N/A | N/A | ||||||||||||||||||||||
21 | 20 | CNSWP v1.0 | Access | Secrets are distributed through secured communication channels protected commensurate with the level of access or data they are protecting | AC-16 Security and Privacy Atributes | N/A | N/A | ||||||||||||||||||||||
22 | 21 | CNSWP v1.0 | Access | Secrets injected are runtime are masqued or dropped from logs, audit, or system dumps | AU-9(3) Protection of Audit Information | Cryptographic Protection | N/A | N/A | ||||||||||||||||||||||
23 | 22 | CNSWP v1.0 | Compute | Bootstrapping is employed to verify correct physical and logical location of compute | SI-7(9) Software, Firmware, and Information Integrity | Verify Boot Process | N/A | N/A | ||||||||||||||||||||||
24 | 23 | CNSWP v1.0 | Compute | Disparate data sensitive workloads are not run on the same OS kernel | SC-7 Boundary Protection | N/A | N/A | ||||||||||||||||||||||
25 | 24 | CNSWP v1.0 | Compute | Monitor and detect any changes to the initial configurations made in runtime | CM-2(2) Baseline Configuration | Automation Support for Accuracy and Currency CM-3(7) Configuration Change Control | Review System Changes | N/A | N/A | ||||||||||||||||||||||
26 | 25 | CNSWP v1.0 | Compute | API auditing is enabled with a filter for a specific set of API Groups or verbs | AU-2 Event Logging | N/A | N/A | ||||||||||||||||||||||
27 | 26 | CNSWP v1.0 | Compute | Container specific operating systems are in use | CM-2 Baseline Configuration CM-7 Least Functionality | N/A | N/A | ||||||||||||||||||||||
28 | 27 | CNSWP v1.0 | Compute | The hardware root of trust is based in a Trusted Platform Module (TPM) or virtual TPM (vTPM) | SI-7 Software, Firmware, and Information Integrity | N/A | N/A | ||||||||||||||||||||||
29 | 28 | CNSWP v1.0 | Compute | Minimize administrative access to the control plane | AC-6 Least Privilege | N/A | N/A | ||||||||||||||||||||||
30 | 29 | CNSWP v1.0 | Compute | Object level and resource requests and limits are controlled through cgroups | SI-7(16) Software, Firmware, and Information Integrity | Time Limit on Process Execution Without Supervision SI-7(17) Software, Firmware, and Information Integrity | Runtime Application Self-protection | N/A | N/A | ||||||||||||||||||||||
31 | 30 | CNSWP v1.0 | Compute | Systems processing alerts are periodically tuned for false positives | SI-4(13) System Monitoring | Analyze Traffic and Event Patterns | N/A | N/A | ||||||||||||||||||||||
32 | 31 | CNSWP v1.0 | Compute | All orchestrator control plane components are configured to communicate via mutual authentication and certificate validation with a periodically rotated certificate | AC-3 Access Enforcement | N/A | N/A | ||||||||||||||||||||||
33 | 32 | CNSWP v1.0 | Compute | Only sanctioned capabilities and system calls (e.g. seccomp filters), are allowed to execute or be invoked in a container by the host operating system | CM-2 Baseline Configuration CM-7 Least Functionality | N/A | N/A | ||||||||||||||||||||||
34 | 33 | CNSWP v1.0 | Compute | Changes to critical mount points and files are prevented, monitored, and alerted | CM-5 Access Restrictions for Change | N/A | N/A | ||||||||||||||||||||||
35 | 34 | CNSWP v1.0 | Compute | Runtime configuration control prevents changes to binaries, certificates, and remote access configurations | CM-5 Access Restrictions for Change | N/A | N/A | ||||||||||||||||||||||
36 | 35 | CNSWP v1.0 | Compute | Runtime configuration prevents ingress and egress network access for containers to only what is required to operate | SC-7 Boundary Protection | N/A | N/A | ||||||||||||||||||||||
37 | 36 | CNSWP v1.0 | Compute | Policies are defined that restrict communications to only occur between sanctioned microservice pairs | SC-7 Boundary Protection | N/A | N/A | ||||||||||||||||||||||
38 | 37 | CNSWP v1.0 | Compute | Use a policy agent to control and enforce authorized, signed container images | CM-5 Access Restrictions for Change | N/A | N/A | ||||||||||||||||||||||
39 | 38 | CNSWP v1.0 | Compute | Use a policy agent to control provenance assurance for operational workloads | CM-5 Access Restrictions for Change | N/A | N/A | ||||||||||||||||||||||
40 | 39 | CNSWP v1.0 | Compute | Use a service mesh that eliminates implicit trust through data-in-motion encryption (data in transit) | SC-7 Boundary Protection | N/A | N/A | ||||||||||||||||||||||
41 | 40 | CNSWP v1.0 | Compute | Use components that detect, track, aggregate and report system calls and network traffic from a container | SI-4 System Monitoring | N/A | N/A | ||||||||||||||||||||||
42 | 41 | CNSWP v1.0 | Compute | Workloads should be dynamically scanned to detect malicious or insidious behavior for which no known occurrence yet exists | SI-3 Malicious Code Protection | N/A | N/A | ||||||||||||||||||||||
43 | 42 | CNSWP v1.0 | Compute | Environments are continuously scanned to detect new vulnerabilities in workloads | RA-5 Vulnerability Monitoring and Scanning | N/A | N/A | ||||||||||||||||||||||
44 | 43 | CNSWP v1.0 | Compute | Actionable audit events are generates that correlate/contextualize data from logs into "information" that can drive decision trees/incident response | AU-3 Content of Audit Records | N/A | N/A | ||||||||||||||||||||||
45 | 44 | CNSWP v1.0 | Compute | segregation of duties and the principle of least privilege is enforced | AC-6 Least Privilege | N/A | N/A | ||||||||||||||||||||||
46 | 45 | CNSWP v1.0 | Compute | Non-compliant violations are detected based on a pre-configured set of rules that filter violations of the organization's policies | SI-7 Software, Firmware, and Information Integrity | N/A | N/A | ||||||||||||||||||||||
47 | 46 | CNSWP v1.0 | Compute | Native secret stores encrypt with keys from an external Key Management Store (KMS) | SC-12(3) Systems & Communication Protection | N/A | N/A | ||||||||||||||||||||||
48 | 47 | CNSWP v1.0 | Compute | Native secret stores are not configured for base64 encoding or stored in clear-text in the key-value store by default | SC-12(3) Systems & Communication Protection | N/A | N/A | ||||||||||||||||||||||
49 | 48 | CNSWP v1.0 | Compute | Network traffic to malicious domains is detected and denied | SI-4 System Monitoring | N/A | N/A | ||||||||||||||||||||||
50 | 49 | CNSWP v1.0 | Compute | Use encrypted containers for sensitive sources, methods, and data | SC-28 Protection of Information at Rest | N/A | N/A | ||||||||||||||||||||||
51 | 50 | CNSWP v1.0 | Compute | Use SBOMs to identify current deployments of vulnerable libraries, dependencies, and packages | CM-8 System Component Inventory | N/A | N/A | ||||||||||||||||||||||
52 | 51 | CNSWP v1.0 | Compute | Processes must execute only functions explicitly defined in an allow list | CM-2 Baseline Configuration CM-7 Least Functionality | N/A | N/A | ||||||||||||||||||||||
53 | 52 | CNSWP v1.0 | Compute | Functions are not be allowed to make changes to critical file system mount points | CM-5 Access Restrictions for Change | N/A | N/A | ||||||||||||||||||||||
54 | 53 | CNSWP v1.0 | Compute | Function access is only permitted to sanctioned services | CM-2 Baseline Configuration CM-7 Least Functionality | N/A | N/A | ||||||||||||||||||||||
55 | 54 | CNSWP v1.0 | Compute | Egress network connection is monitored to detect and prevent access to C&C (command and control) and other malicious network domains | SI-4 System Monitoring | N/A | N/A | ||||||||||||||||||||||
56 | 55 | CNSWP v1.0 | Compute | Ingress network inspection is employed detect and remove malicious payloads and commands | SI-4 System Monitoring | N/A | N/A | ||||||||||||||||||||||
57 | 56 | CNSWP v1.0 | Compute | Serverless functions are run in tenant-based resource or performance isolation for similar data classifications | SC-7(21) Boundary Protection | Isolation of System Components | N/A | N/A | ||||||||||||||||||||||
58 | 57 | CNSWP v1.0 | Deploy | trust confirmation verifies the image has a valid signature from an authorized source | SR-4 (3) PROVENANCE | VALIDATE AS GENUINE AND NOT ALTERED SR-4 (4) PROVENANCE | SUPPLY CHAIN INTEGRITY — PEDIGREE | N/A | N/A | ||||||||||||||||||||||
59 | 58 | CNSWP v1.0 | Deploy | Image runtime policies are enforced prior to deployment | SI-7 (17) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | RUNTIME APPLICATION SELF-PROTECTION | N/A | N/A | ||||||||||||||||||||||
60 | 59 | CNSWP v1.0 | Deploy | Image integrity and signature are verifying prior to deployment | SR-4 (3) PROVENANCE | VALIDATE AS GENUINE AND NOT ALTERED SR-4 (4) PROVENANCE | SUPPLY CHAIN INTEGRITY — PEDIGREE | N/A | N/A | ||||||||||||||||||||||
61 | 60 | CNSWP v1.0 | Deploy | Applications provide logs regarding authentication, authorization, actions, and failures | CM-3 CONFIGURATION CHANGE CONTROL | N/A | N/A | ||||||||||||||||||||||
62 | 61 | CNSWP v1.0 | Deploy | Forensics capabilities are integrated into an incident response plan and procedures | INCIDENT HANDLING | MALICIOUS CODE AND FORENSIC ANALYSIS | N/A | N/A | ||||||||||||||||||||||
63 | 62 | CNSWP v1.0 | Deploy | AI, ML, or statistical modeling are used for behavioural and heuristic environment analysis | SI-3 SYSTEM AND INFORMATION INTEGRITY | N/A | N/A | ||||||||||||||||||||||
64 | 63 | CNSWP v1.0 | Develop | Establish a dedicated Production environment | SA-3(1) SYSTEM DEVELOPMENT LIFE CYCLE | MANAGE PREPRODUCTION ENVIRONMENT | N/A | N/A | ||||||||||||||||||||||
65 | 64 | CNSWP v1.0 | Develop | Leverage Dynamic deployments | SA-8(31) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | SECURE SYSTEM MODIFICATION | N/A | N/A | ||||||||||||||||||||||
66 | 65 | CNSWP v1.0 | Develop | Integrate vulnerability and configuration scanning in the IDE or at the pull request | SA-11(1) DEVELOPER TESTING AND EVALUATION | STATIC CODE ANALYSIS | N/A | N/A | ||||||||||||||||||||||
67 | 66 | CNSWP v1.0 | Develop | Establish dedicated development, testing, and production environment | SA-15 DEVELOPMENT PROCESS, STANDARDS, AND TOOLS | N/A | N/A | ||||||||||||||||||||||
68 | 67 | CNSWP v1.0 | Develop | Build tests for business-critical code | SA-11 DEVELOPER TESTING AND EVALUATION | N/A | N/A | ||||||||||||||||||||||
69 | 68 | CNSWP v1.0 | Develop | Build tests for business-critical infrastructure | SA-11 DEVELOPER TESTING AND EVALUATION | N/A | N/A | ||||||||||||||||||||||
70 | 69 | CNSWP v1.0 | Develop | Test suite able to be ran locally | SA-11 DEVELOPER TESTING AND EVALUATION | N/A | N/A | ||||||||||||||||||||||
71 | 70 | CNSWP v1.0 | Develop | Test suites should be available to run in a shared environment | SA-11 DEVELOPER TESTING AND EVALUATION | N/A | N/A | ||||||||||||||||||||||
72 | 71 | CNSWP v1.0 | Develop | Implement two non-author reviewers/approvers prior to merging | SA-11(4) DEVELOPER TESTING AND EVALUATION | MANUAL CODE REVIEWS | N/A | N/A | ||||||||||||||||||||||
73 | 72 | CNSWP v1.0 | Develop | Code should be clean and well commented | N/A | N/A | |||||||||||||||||||||||
74 | 73 | CNSWP v1.0 | Develop | Full infrastructure tests are used | SA-11 DEVELOPER TESTING AND EVALUATION | N/A | N/A | ||||||||||||||||||||||
75 | 74 | CNSWP v1.0 | Develop | Regression tests are used | SA-11 DEVELOPER TESTING AND EVALUATION | N/A | N/A | ||||||||||||||||||||||
76 | 75 | CNSWP v1.0 | Develop | Test suites are updated against new and emerging threats and developed into security regressions tests | SA-11 DEVELOPER TESTING AND EVALUATION | N/A | N/A | ||||||||||||||||||||||
77 | 76 | CNSWP v1.0 | Develop | Establish a dedicated Testing environment | SA-3(1) SYSTEM DEVELOPMENT LIFE CYCLE | MANAGE PREPRODUCTION ENVIRONMENT | N/A | N/A | ||||||||||||||||||||||
78 | 77 | CNSWP v1.0 | Develop | Continuous integration server is isolated | SC-39 PROCESS ISOLATION | N/A | N/A | ||||||||||||||||||||||
79 | 78 | CNSWP v1.0 | Develop | Use threat model results to determine ROI for test development | SA-11(2) DEVELOPER TESTING AND EVALUATION | THREAT MODELING AND VULNERABILITY ANALYSES | N/A | N/A | ||||||||||||||||||||||
80 | 79 | CNSWP v1.0 | Distribute | Trust is verified | N/A | N/A | |||||||||||||||||||||||
81 | 80 | CNSWP v1.0 | Distribute | Artifacts ready for deployment are managed in a staging or pre-prod registry | N/A | N/A | |||||||||||||||||||||||
82 | 81 | CNSWP v1.0 | Distribute | container images are hardened following best practices | N/A | N/A | |||||||||||||||||||||||
83 | 82 | CNSWP v1.0 | Distribute | Static application security testing (SAST) is performed | N/A | N/A | |||||||||||||||||||||||
84 | 83 | CNSWP v1.0 | Distribute | Test suites follow the test pyramid | N/A | N/A | |||||||||||||||||||||||
85 | 84 | CNSWP v1.0 | Distribute | Artifacts undergoing active development are held in a private registery | N/A | N/A | |||||||||||||||||||||||
86 | 85 | CNSWP v1.0 | Distribute | Scan application manifests in CI pipeline | RA-5 VULNERABILITY MONITORING AND SCANNING | N/A | N/A | ||||||||||||||||||||||
87 | 86 | CNSWP v1.0 | Distribute | CI server's for sensitive workloads are isolated from other workloads | SC-39 PROCESS ISOLATION | N/A | N/A | ||||||||||||||||||||||
88 | 87 | CNSWP v1.0 | Distribute | Builds requiring elevated privileges must run on dedicated servers | SC-39 PROCESS ISOLATION | N/A | N/A | ||||||||||||||||||||||
89 | 88 | CNSWP v1.0 | Distribute | Build policies are enforced on the CI pipeline | SA-1 POLICY AND PROCEDURES | N/A | N/A | ||||||||||||||||||||||
90 | 89 | CNSWP v1.0 | Distribute | Sign pipeline metadata | SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | N/A | N/A | ||||||||||||||||||||||
91 | 90 | CNSWP v1.0 | Distribute | Build stages are verified prior to the next stage executing | SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | N/A | N/A | ||||||||||||||||||||||
92 | 91 | CNSWP v1.0 | Distribute | Images are scanned within the CI pipeline | RA-5 VULNERABILITY MONITORING AND SCANNING SA-3 SYSTEM DEVELOPMENT LIFE CYCLE | N/A | N/A | ||||||||||||||||||||||
93 | 92 | CNSWP v1.0 | Distribute | Vulnerability scans are coupled with pipeline compliance rules | SA-1 POLICY AND PROCEDURES | N/A | N/A | ||||||||||||||||||||||
94 | 93 | CNSWP v1.0 | Distribute | Dynamic application security testing (DAST) is performed | SA-11 (8) & (9) INTERACTIVE APPLICATION SECURITY TESTING | N/A | N/A | ||||||||||||||||||||||
95 | 94 | CNSWP v1.0 | Distribute | Application instrumentation is employed | SI-4 SYSTEM MONITORING | N/A | N/A | ||||||||||||||||||||||
96 | 95 | CNSWP v1.0 | Distribute | Automated test results map back to requirements | N/A | N/A | |||||||||||||||||||||||
97 | 96 | CNSWP v1.0 | Distribute | Infrastructure security tests must be employed | N/A | N/A | |||||||||||||||||||||||
98 | 97 | CNSWP v1.0 | Distribute | Tests to verify the security health are executed at time of build and at time of deploy | SI-4 SYSTEM MONITORING | N/A | N/A | ||||||||||||||||||||||
99 | 98 | CNSWP v1.0 | Distribute | IaC is subject to the same pipeline policy controls as application code | N/A | N/A | |||||||||||||||||||||||
100 | 99 | CNSWP v1.0 | Distribute | Security testing is automated | SA-11 DEVELOPER TESTING AND EVALUATION CA-8 PENETRATION TESTING | N/A | N/A |