CNCF Security Technical Advisory Group (TAG)

International (CNCF/Linux Foundation)

vv2 (2022) - CNCF Cloud Native Security Whitepaper

7 domains

24 controls

The CNCF Security Technical Advisory Group (TAG) publishes security guidance for cloud‑native ecosystems, including the CNCF Cloud Native Security Whitepaper (v2, 2022), the Software Supply Chain Best Practices guide, and the CNCF Security Assessment process. These resources are best‑practice documents rather than a formal framework with defined domains or controls.

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (7)

CNCF: Cloud Native Layers (4C)

4 controls

Controls in the CNCF: Cloud Native Layers (4C) domain of CNCF Security Technical Advisory Group (TAG) — 4 controls
Code	Title	Description
CNCF-4C-CLOUD	Cloud Layer Security	Secure the cloud/infrastructure layer (the trusted computing base): provider account security, infrastructure configurat...
CNCF-4C-CLUSTER	Cluster Layer Security	Secure the orchestration/cluster layer: API server access control, RBAC, network policy, component configuration and sec...
CNCF-4C-CODE	Code Layer Security	Secure the application code layer: secure coding, dependency management, secrets handling and application-level controls...
CNCF-4C-CONTAINER	Container Layer Security	Secure the container layer: image provenance and hardening, runtime privileges, isolation and container configuration.

CNCF: Compliance

2 controls

Controls in the CNCF: Compliance domain of CNCF Security Technical Advisory Group (TAG) — 2 controls
Code	Title	Description
CNCF-COMP-AUDITS	Regulatory Audits	Support regulatory audits for cloud-native environments: evidence collection, compliance automation and continuous contr...
CNCF-COMP-INDUSTRY	Industry-Specific Compliance	Address industry-specific compliance obligations (e.g. financial-sector EU regulations) when running cloud-native worklo...

CNCF: Lifecycle - Deploy

4 controls

Controls in the CNCF: Lifecycle - Deploy domain of CNCF Security Technical Advisory Group (TAG) — 4 controls
Code	Title	Description
CNCF-DEP-ARTIFACTS	Artifact and Image Verification	Verify artifacts and images at deploy time: signature verification, provenance/attestation checks and trusted-registry e...
CNCF-DEP-INCIDENT	Incident Response and Mitigation	Prepare incident response and mitigation for cloud-native workloads: playbooks, isolation/quarantine capability and roll...
CNCF-DEP-OBSERVABILITY	Observability and Metrics	Establish observability for deployed workloads: logging, metrics and tracing to support detection and response.
CNCF-DEP-PREFLIGHT	Pre-Flight Deployment Checks	Validate workloads at deployment via admission control: verify image provenance/signatures, policy compliance and config...

CNCF: Lifecycle - Develop

2 controls

Controls in the CNCF: Lifecycle - Develop domain of CNCF Security Technical Advisory Group (TAG) — 2 controls
Code	Title	Description
CNCF-DEV-CHECKS	Security Checks in Development	Integrate security into development: threat-informed requirements, IDE/security-plugin checks, secret detection and secu...
CNCF-DEV-TESTING	Security Testing	Perform security testing during development: SAST, DAST, dependency/SCA scanning and unit/integration security tests bef...

CNCF: Lifecycle - Distribute

5 controls

Controls in the CNCF: Lifecycle - Distribute domain of CNCF Security Technical Advisory Group (TAG) — 5 controls
Code	Title	Description
CNCF-DIST-IMGHARDEN	Image Hardening	Harden container images: minimal base images, removal of unnecessary packages, non-root users and reduced attack surface...
CNCF-DIST-IMGSCAN	Image Scanning	Scan container images for known vulnerabilities and misconfigurations before distribution, with policy on acceptable fin...
CNCF-DIST-MANIFESTHARDEN	Container Application Manifest Hardening	Harden deployment manifests: drop capabilities, set security contexts, resource limits and least-privilege specification...
CNCF-DIST-MANIFESTSCAN	Container Application Manifest Scanning	Scan deployment manifests (Kubernetes YAML, Helm charts, IaC) for insecure settings before deployment.
CNCF-DIST-PIPELINE	Build Pipeline Security	Secure the build pipeline (CI): isolated/ephemeral build environments, controlled build inputs, provenance generation an...

CNCF: Lifecycle - Runtime

4 controls

Controls in the CNCF: Lifecycle - Runtime domain of CNCF Security Technical Advisory Group (TAG) — 4 controls
Code	Title	Description
CNCF-RT-ACCESS	Runtime Access (Identity, Authentication, Authorization)	Enforce runtime access controls: workload and human identity, authentication, authorization (RBAC), service-to-service a...
CNCF-RT-AVAILABILITY	Runtime Availability	Protect runtime availability: resource limits/quotas, denial-of-service protection, autoscaling and resilience of cloud-...
CNCF-RT-COMPUTE	Runtime Compute Security (Orchestration, Hosts, Containers)	Secure runtime compute: host/node hardening, orchestrator security, container runtime isolation (sandboxing, seccomp/App...
CNCF-RT-STORAGE	Runtime Storage Security	Secure runtime storage: encryption of data at rest, secrets management, volume access control and persistent-data protec...

CNCF: Security Assurance

3 controls

Controls in the CNCF: Security Assurance domain of CNCF Security Technical Advisory Group (TAG) — 3 controls
Code	Title	Description
CNCF-SA-PRINCIPLES	Security Principles	Apply cloud-native security principles: defense in depth, least privilege, zero trust, immutability, and secure-by-defau...
CNCF-SA-STACK	Security Stack and Tooling	Maintain a cloud-native security stack mapped to lifecycle phases (scanning, policy-as-code, runtime detection, secrets,...
CNCF-SA-THREATMODEL	Threat Modeling	Conduct cloud-native threat modeling: enumerate assets, trust boundaries and threats (including the v2 ransomware use ca...

Your Compliance Coverage

If you comply with CNCF Security Technical Advisory Group (TAG), you already cover:

Cloud Security Alliance Cloud Controls Matrix (CCM) v4.0.1

100%

24 controls mapped

Compare →

NIST SP 800-53 Rev 5

75%

18 controls mapped

Compare →

NIST Cybersecurity Framework 2.0

1 controls mapped

Compare →

+ 1 more: ISO 27002:2022 (4%)

See all 4 mapped frameworks ↓

Maps to 4 other frameworks

24 total controls

Cloud Security Alliance Cloud Controls Matrix (CCM) v4.0.1

24 source controls mapped|21 target controls covered

100%

NIST SP 800-53 Rev 5

18 source controls mapped|11 target controls covered

75%

NIST Cybersecurity Framework 2.0

1 source controls mapped|1 target controls covered

ISO 27002:2022

1 source controls mapped|1 target controls covered

Compare CNCF Security Technical Advisory Group (TAG) with Cloud Security Alliance Cloud Controls Matrix (CCM) v4.0.1

Frequently Asked Questions

What is CNCF Security Technical Advisory Group (TAG)?

CNCF Security Technical Advisory Group (TAG) is a compliance framework from International (CNCF/Linux Foundation) with 7 domains and 24 controls. The CNCF Security Technical Advisory Group (TAG) publishes security guidance for cloud‑native ecosystems, including the CNCF Cloud Native Security Whitepaper (v2, 2022), the Software Supply Chain Best Practices guide, and the CNCF Security Assessment process. These resources are best‑practice documents rather than a formal framework with defined domains or controls. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does CNCF Security Technical Advisory Group (TAG) have?

CNCF Security Technical Advisory Group (TAG) has 24 controls organised across 7 domains. The largest domains are CNCF: Lifecycle - Distribute (5 controls), CNCF: Cloud Native Layers (4C) (4 controls), CNCF: Lifecycle - Deploy (4 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does CNCF Security Technical Advisory Group (TAG) map to?

CNCF Security Technical Advisory Group (TAG) maps to 4 other compliance frameworks. The top mapping partners are Cloud Security Alliance Cloud Controls Matrix (CCM) v4.0.1 (100% coverage), NIST SP 800-53 Rev 5 (75% coverage), NIST Cybersecurity Framework 2.0 (4% coverage). Use our comparison tool to explore control-level mappings between frameworks.

How do I get started with CNCF Security Technical Advisory Group (TAG) compliance?

Start your CNCF Security Technical Advisory Group (TAG) compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about CNCF Security Technical Advisory Group (TAG) requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 24 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 718 frameworks.

Get Started Free →

Free forever — no credit card required