Cloud Native Architecture¶

A secure cloud service offering will use cloud native architecture and design principles to enforce and enhance the confidentiality, integrity and availability of the system.

Defining Functionality and Privileges¶

KSI-CNA-DFP

Former ID: KSI-CNA-04

Changelog:

2026-02-04: Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes.

Strictly define the functionality and privileges for infrastructure and services.

Related SP 800-53 Controls: CM-2, SI-3

Enforcing Intended State¶

KSI-CNA-EIS

Former ID: KSI-CNA-08

Changelog:

2026-02-04: Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes.

LowModerate

Optional: Use automated services to persistently assess the security posture of all machine-based information resources and automatically enforce their intended operational state.

Use automated services to persistently assess the security posture of all machine-based information resources and automatically enforce their intended operational state.

Related SP 800-53 Controls: CA-2.1, CA-7.1

Terms: Information Resource, Machine-Based (information resources), Persistently

Implementing Best Practices¶

KSI-CNA-IBP

Former ID: KSI-CNA-07

Changelog:

2026-02-04: Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes.

Persistently ensure cloud-native machine-based information resources are implemented based on the host provider's best practices and documented guidance.

Related SP 800-53 Controls: AC-17.3, CM-2, PL-10

Terms: Information Resource, Machine-Based (information resources), Persistently

Minimizing Attack Surface¶

KSI-CNA-MAT

Former ID: KSI-CNA-02

Changelog:

2026-02-04: Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes.

Persistently ensure machine-based information resources have a minimal attack surface and that lateral movement is minimized if compromised.

Related SP 800-53 Controls: AC-17.3, AC-18.1, AC-18.3, AC-20.1, CA-9, SC-7.3, SC-7.4, SC-7.5, SC-7.8, SC-8, SC-10, SI-10, SI-11, SI-16

Terms: Information Resource, Machine-Based (information resources), Persistently

Optimizing for Availability¶

KSI-CNA-OFA

Former ID: KSI-CNA-06

Changelog:

2026-02-04: Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes.

Appropriately optimize machine-based information resources for high availability and rapid recovery.

Terms: Information Resource, Machine-Based (information resources)

Restricting Network Traffic¶

KSI-CNA-RNT

Former ID: KSI-CNA-01

Changelog:

2026-02-04: Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes.

Persistently ensure all machine-based information resources are configured to limit inbound and outbound network traffic.

Related SP 800-53 Controls: AC-17.3, CA-9, CM-7.1, SC-7.5, SI-8

Terms: Information Resource, Machine-Based (information resources), Persistently

Reviewing Protections¶

KSI-CNA-RVP

Former ID: KSI-CNA-05

Changelog:

2026-02-04: Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes.

Persistently review the effectiveness of protection against denial of service attacks and other unwanted activity.

Related SP 800-53 Controls: SC-5, SI-8, SI-8.2

Terms: Persistently

Using Logical Networking¶

KSI-CNA-ULN

Former ID: KSI-CNA-03

Changelog:

2026-02-04: Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes.

Use logical networking and related capabilities to enforce traffic flow controls.

Related SP 800-53 Controls: AC-12, AC-17.3, CA-9, SC-4, SC-7, SC-7.7, SC-8, SC-10