Skip to main content

Cloud Native Security Controls Catalog: Refreshed, Structured, and Machine-Readable

ยท 3 min read
Sonu Preetam
Product Security Engineer
Jennifer Power
Principal Product Security Engineer
Hannah Braswell
Associate Product Security Engineer

Revised security guidance has been released by CNCF advisors to streamline cloud-native project security assessments.

Initially created in 2022 by CNCF's TAG Security and Compliance (TAG-SC), the Cloud Native Security Controls Catalog (CNSC Catalog) is a direct, actionable list of controls mapped to NIST SP 800-53 Rev. 5. To incorporate emerging technologies, tools, and research, a new version of the catalog has been created and released in 2026.

What is the CNSC Catalog?โ€‹

The catalog incorporates guidance from TAG-SC's Cloud Native Security Whitepaper (CNSWP) and the Software Supply Chain Security Paper (SSCSP) in a way that can be rapidly referenced. Each entry assigns a unique identifier to discrete guidance and includes a reference to external guidance from NIST SP 800-53.

Previous versions of the catalog were delivered in a proprietary format hosted by TAG-SC, increasing complexity for readers. The updated version now utilizes the best practices and schemas provided by the OpenSSF's Gemara project. This approach allows users to harness the CNSC Catalog using tools that are already compatible for similar efforts using Gemara, such as the Open Source Project Security Baseline or the FINOS Common Cloud Controls project.

The existing controls are now organized into family groupings that span the complete cloud-native lifecycle. Each entry provides a unique identifier, title, objective statement, and family classification.

Here is an example from the Deploy family:

FieldValue
IDCNSC-57
TitleTrust Confirmation
ObjectiveTrust confirmation verifies the image has a valid signature from an authorized source
GroupDeploy
ApplicabilityCNSWP-v1.0, CNSWP-v2.0

Project maintainers can leverage these guidelines as a ready-made foundation for a project-specific hardening guide for creating security controls aligned with TAG-SC guidance. Each guideline maps to a corresponding NIST SP 800-53 Rev. 5 control, giving regulated end-users a clear picture of how cloud-native security practices align with the standards they are required to satisfy.

The catalog is maintained in version control and accepts contributions through standard pull request workflows with full review history and traceability preserved.

What's Nextโ€‹

With Milestone 1 complete, the next step is putting the catalog to work. The near-term goal is to support CNCF project maintainers in creating project-specific hardening guides using the guidance most relevant to their project's footprint.

If you are interested in this work and would like to provide feedback or get involved, please reach out on GitHub, in the #initiative-cloud-native-security-controls-catalog channel on CNCF Slack, or through TAG Security and Compliance public calendar meetings.

Referencesโ€‹