Skip to content

[Initiative]: Cloud Native Security Controls Catalog Refresh #1910

New issue
New issue
Open
Open
[Initiative]: Cloud Native Security Controls Catalog Refresh#1910
Assignees
jpower432
Labels
kind/initiativeAn initiative or an item related to imitative processestag/security-and-complianceTAG Security and Compliance
@jpower432

Description

@jpower432
jpower432
opened on Oct 6, 2025

Name

Cloud Native Security Controls Catalog Refresh

Short description

Review and update the Cloud Native Security Controls Catalog

Responsible group

TAG Security and Compliance

Does the initiative belong to a subproject?

No

Subproject name

No response

Primary contact

Jenn Power (@jpower432)

Additional contacts

@eddie-knight

Initiative description

This initiative focuses on refreshing the Cloud Native Security Controls Catalog. The original catalog was created to provide specific, actionable controls for engineers, going beyond the high-level guidance found in the Cloud Native Security Whitepaper (CNSWP) and the Software Supply Chain Security Paper (SSCSP). The planned activities in this initiative would continue the next phase of work described in the Phase One accouncement to support automated assessment of the security controls.

Original TAG Security issue documenting the scope and purpose.

Planned Activities

  • Define Catalog Use Cases: Identify and document key use cases to clarify the catalog's value proposition. This includes determining if it can serve as a reference for project maintainers building best practice guides for their tools.

  • Assess Alignment with Existing Catalogs: Analyze the catalog's overlap with the Open Source Project Security (OSPS) Baseline to ensure consistency and identify opportunities for collaboration.

  • Enable Automation: Convert the current source of truth for control definitions to a format that can be easily managed in version control.

    • The OpenSSF has a project called gemara that provides a library and schema for defining security controls catalogs in a way that can be authored directly while supporting OSCAL artifact generation that could be explored.

Out of Scope

This initiative focuses on updating the existing controls and structure. Adding new control families and compliance framework mappings is out of scope and would be completed as a follow-on action if the Subproject is established.

Deliverable(s) or exit criteria

The successful completion of this initiative is a decision on whether to continue maintaining the catalog under a Subproject. If the decision is to proceed, the following deliverables will be produced:

  • A standardized, machine-readable security controls catalog ready for adoption by project maintainers and end-users.
  • Guidance materials outlining the process for community contributions.
  • A proposal to establish a Subproject for the ongoing maintenance and evolution of the catalog.

Tracking document for meeting and progress

https://notes.cncf.io/64WPMKmDTOO2WnDI0av_Rw?view

Metadata

Metadata

Assignees

Labels

kind/initiativeAn initiative or an item related to imitative processestag/security-and-complianceTAG Security and Compliance

Type

No type

Projects

CNCF TOC Board

Status

New
Initiatives

Status

status/in-progress
TAG Developer Experience

Status

No status
TAG Infrastructure

Status

No status
TAG Operational Resilience

Status

No status
TAG Security and Compliance

Status

In Progress
TAG Workloads Foundation

Status

No status

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions