diff --git a/controls/changelog.md b/controls/changelog.md
new file mode 100644
index 0000000..a69f91f
--- /dev/null
+++ b/controls/changelog.md
@@ -0,0 +1,6 @@
+New in version 1.2
+
+(1) Control 121 for threat modeling has been updated with implementation suggestions from CNSWPv2
+(2) Control 195 for secure default has been added, from CNSWPv2
+(3) Control 196 has been added; CNSWPv2 provide a number of recommendations for supply chain security and then finally references the SSCP whitepaper.
+(4) Control 197 for GitOps has been added; CNSWPv2 provides a number of recommendations, all of which are covered by SSCP
diff --git a/controls/controls_catalog_v1.1.csv b/controls/controls_catalog_v1.1.csv
new file mode 100644
index 0000000..44b35da
--- /dev/null
+++ b/controls/controls_catalog_v1.1.csv
@@ -0,0 +1,236 @@
+ID,Originating Document,Section,Control Title,Control Implementation,NIST SP800-53r5 references,Assurance Level,Risk Categories
+1,CNSWP v1.0,Access,Secrets are injected at runtime,,IA-5(7) Authenticator Management | No Embedded Unencrypted Static Authenticators,N/A,N/A
+2,CNSWP v1.0,Access,Applications and workloads are explicitly authorized to communicate with each other using mutual authentication,,IA-9 Service Identification and Authentication,N/A,N/A
+3,CNSWP v1.0,Access,Keys are rotated frequently,,SC-12 Cryptographic Key Establishment and Management,N/A,N/A
+4,CNSWP v1.0,Access,Key lifespan is short,,SC-12(3) Cryptographic Key Establishment and Management | Asymetric Key,N/A,N/A
+5,CNSWP v1.0,Access,Credentials and keys protecting sensitive workloads (health/finance/etc) are generated and managed independent of a cloud service provider,KMS and HMS are common technologies to achive this. FIPS 140-2 complaince is strongly suggested. Cloud KMS tends to be FIPS 140-2 Level 2 or greater.,IA-2(12) Identification and Authentication (Organizational Users) | Acceptance of PIV Credentials,N/A,N/A
+6,CNSWP v1.0,Access,Authentication and authorization are determined independently,,IA-2(6) Identification and Authentication (Organizational Users) | Access to Accounts - Separate Devices,N/A,N/A
+7,CNSWP v1.0,Access,Authentication and authorization are enforced independently,,IA-2(6) Identification and Authentication (Organizational Users) | Access to Accounts - Separate Devices,N/A,N/A
+8,CNSWP v1.0,Access,access control and file permissions are updated in real-time,where possible as caching may permit unauthorized access,SI-4(2) System Monitoring | Automated Tools and Mechanisms for Real-Time Analysis,N/A,N/A
+9,CNSWP v1.0,Access,authorization for workloads is granted based on attributs and roles/permissions previously assigned,,AC-3(13) Access Enforcement | Attribute-Based Access Control,N/A,N/A
+10,CNSWP v1.0,Access,ABAC and RBAC are used,,"AC-3(13) Access Enforcement | Attribute-Based Access Control
+AC-3(7) Access Enforcement | Role-Based Access Control",N/A,N/A
+11,CNSWP v1.0,Access,"End user identity is capable of being accepted, consumed, and forwarded on for contextual or dynamic authorization",This can be achieved through the use of identity documents and tokens.,SC-7(19) Boundary Protection | Block Communication from Non-Organizationally Configured Hosts,N/A,N/A
+12,CNSWP v1.0,Access,All cluster and workloads operators are authenticated,,IA-7 Cryptographic Module Authentication,N/A,N/A
+13,CNSWP v1.0,Access,"cluster and worklods operate actions are evaluated against access control policies governing context, purpose, and output",,IA-7 Cryptographic Module Authentication,N/A,N/A
+14,CNSWP v1.0,Access,Identity federation uses multi-factor authentication,,IA-2(1)(2) Identification and Authentication (organizational Users) | Multi-Factor Authenticaiton to Priviledged & Non Priveledged Accounts,N/A,N/A
+15,CNSWP v1.0,Access,HSMs are used to physically protect cryptographic secrets with an encryption key residing in the HSM,"If this is not possible, software-based credential managers should be used.","AC-4(4) Information Flow Enforcement | Flow Control of Encrypted Information
+SC-3(1) Security Function Isolation | Hardware Separation",N/A,N/A
+16,CNSWP v1.0,Access,Secrets should have a short expiration period or time to live,,SI-12 Information Management and Retention,N/A,N/A
+17,CNSWP v1.0,Access,time to live and expiration period on secrets is verfied to prevent reuse,,AC-16(3) Security and Privacy Attributes | Maintenance of Attribute Associations by System,N/A,N/A
+18,CNSWP v1.0,Access,secrets management systems are highly available,,SC-12(1) Cryptographic Key Establishment and Management | Availability,N/A,N/A
+19,CNSWP v1.0,Access,long-lived secrets adhere to periodic rotation and revocation,"Long-lived secrets are not recommended, but some capabilities require them",SI-12 Information Management and Retention,N/A,N/A
+20,CNSWP v1.0,Access,Secrets are distributed through secured communication channels protected commensurate with the level of access or data they are protecting,,AC-16 Security and Privacy Atributes,N/A,N/A
+21,CNSWP v1.0,Access,"Secrets injected are runtime are masqued or dropped from logs, audit, or system dumps","Even short lived secrets may be resused if caught in time by an interested attacker. Logs, audit, and systems dumps (i.e. in-memory shared volumes instead of environment variables) are all areas where runtime injected secrets show up",AU-9(3) Protection of Audit Information | Cryptographic Protection,N/A,N/A
+22,CNSWP v1.0,Compute,Bootstrapping is employed to verify correct physical and logical location of compute,Secure Boot with TPM 2.0 or similar control,"SI-7(9) Software, Firmware, and Information Integrity | Verify Boot Process",N/A,N/A
+23,CNSWP v1.0,Compute,Disparate data sensitive workloads are not run on the same OS kernel,"There are at least three implementing controls possible: workloads may be separated by running in a separate cluster, on a separate node, or by implementing pods in independent VMs. It is also possible to emulate the kernel via an application kernel (e.g. gvisor)",SC-7 Boundary Protection,N/A,N/A
+24,CNSWP v1.0,Compute,Monitor and detect any changes to the initial configurations made in runtime,Preventative controls should be the primary control. Detective controls monitoring filesystem changes should be used to verify primary controls are operating properly.,CM-2(2) Baseline Configuration | Automation Support for Accuracy and Currency CM-3(7) Configuration Change Control | Review System Changes,N/A,N/A
+25,CNSWP v1.0,Compute,API auditing is enabled with a filter for a specific set of API Groups or verbs,"API audits of the application, kubernetes API server, and kernel should be implemented.",AU-2 Event Logging,N/A,N/A
+26,CNSWP v1.0,Compute,Container specific operating systems are in use,a read-only OS with other services disabled. This provides isolation and resource confinement that enables developers to run isolated applications on a shared host kernel,CM-2 Baseline Configuration CM-7 Least Functionality,N/A,N/A
+27,CNSWP v1.0,Compute,The hardware root of trust is based in a Trusted Platform Module (TPM) or virtual TPM (vTPM),"Ensure HW root of trust extends to the OS kernel, modules, system images, container runtimes, and all software on the system.","SI-7 Software, Firmware, and Information Integrity",N/A,N/A
+28,CNSWP v1.0,Compute,Minimize administrative access to the control plane,Enure both users and pods have the minimum necessary access,AC-6 Least Privilege,N/A,N/A
+29,CNSWP v1.0,Compute,Object level and resource requests and limits are controlled through cgroups,"helps prevent exhaustion of node and cluster level resources by one misbehaving workload due to an intentional (e.g., fork bomb attack or cryptocurrency mining) or unintentional (e.g., reading a large file in memory without input validation, horizontal autoscaling to exhaust compute resources) issue","SI-7(16) Software, Firmware, and Information Integrity | Time Limit on Process Execution Without Supervision
+SI-7(17) Software, Firmware, and Information Integrity | Runtime Application Self-protection",N/A,N/A
+30,CNSWP v1.0,Compute,Systems processing alerts are periodically tuned for false positives,"to avoid alert flooding, fatigue, and false negatives after security incidents that were not detected by the system",SI-4(13) System Monitoring | Analyze Traffic and Event Patterns,N/A,N/A
+31,CNSWP v1.0,Compute,All orchestrator control plane components are configured to communicate via mutual authentication and certificate validation with a periodically rotated certificate,"In unfederated clusters, the CA should be used exclusively for the current cluster.",AC-3 Access Enforcement,N/A,N/A
+32,CNSWP v1.0,Compute,"Only sanctioned capabilities and system calls (e.g. seccomp filters), are allowed to execute or be invoked in a container by the host operating system",Additional tooling should be installed that go beyond k8s capabilities to limit system calls. E.g. Falco.,CM-2 Baseline Configuration CM-7 Least Functionality,N/A,N/A
+33,CNSWP v1.0,Compute,"Changes to critical mount points and files are prevented, monitored, and alerted",,CM-5 Access Restrictions for Change,N/A,N/A
+34,CNSWP v1.0,Compute,"Runtime configuration control prevents changes to binaries, certificates, and remote access configurations",,CM-5 Access Restrictions for Change,N/A,N/A
+35,CNSWP v1.0,Compute,Runtime configuration prevents ingress and egress network access for containers to only what is required to operate,,SC-7 Boundary Protection,N/A,N/A
+36,CNSWP v1.0,Compute,Policies are defined that restrict communications to only occur between sanctioned microservice pairs,,SC-7 Boundary Protection,N/A,N/A
+37,CNSWP v1.0,Compute,"Use a policy agent to control and enforce authorized, signed container images",,CM-5 Access Restrictions for Change,N/A,N/A
+38,CNSWP v1.0,Compute,Use a policy agent to control provenance assurance for operational workloads,,CM-5 Access Restrictions for Change,N/A,N/A
+39,CNSWP v1.0,Compute,Use a service mesh that eliminates implicit trust through data-in-motion encryption (data in transit),,SC-7 Boundary Protection,N/A,N/A
+40,CNSWP v1.0,Compute,"Use components that detect, track, aggregate and report system calls and network traffic from a container",should be leveraged to look for unexpected or malicious behavior,SI-4 System Monitoring,N/A,N/A
+41,CNSWP v1.0,Compute,Workloads should be dynamically scanned to detect malicious or insidious behavior for which no known occurrence yet exists,"Events such as an extended sleep command that executes data exfiltration from etcd after the workload has been running for X amount of days are not expected in the majority of environments and therefore are not included in security tests. The aspect that workloads can have time or event delayed trojan horses is only detectable by comparing to baseline expected behavior, often discovered during thorough activity and scan monitoring",SI-3 Malicious Code Protection,N/A,N/A
+42,CNSWP v1.0,Compute,Environments are continuously scanned to detect new vulnerabilities in workloads,"Vulnerabilities are constantly being discovered, just because it wasnt vulnerable at deploy, doesn't mean it won't be vulnerable in two weeks",RA-5 Vulnerability Monitoring and Scanning,N/A,N/A
+43,CNSWP v1.0,Compute,"Actionable audit events are generates that correlate/contextualize data from logs into ""information"" that can drive decision trees/incident response",,AU-3 Content of Audit Records,N/A,N/A
+44,CNSWP v1.0,Compute,segregation of duties and the principle of least privilege is enforced,,AC-6 Least Privilege,N/A,N/A
+45,CNSWP v1.0,Compute,Non-compliant violations are detected based on a pre-configured set of rules that filter violations of the organization's policies,,"SI-7 Software, Firmware, and Information Integrity",N/A,N/A
+46,CNSWP v1.0,Compute,Native secret stores encrypt with keys from an external Key Management Store (KMS),,SC-12(3) Systems & Communication Protection,N/A,N/A
+47,CNSWP v1.0,Compute,Native secret stores are not configured for base64 encoding or stored in clear-text in the key-value store by default,encoding is not encryption,SC-12(3) Systems & Communication Protection,N/A,N/A
+48,CNSWP v1.0,Compute,Network traffic to malicious domains is detected and denied,,SI-4 System Monitoring,N/A,N/A
+49,CNSWP v1.0,Compute,"Use encrypted containers for sensitive sources, methods, and data",,SC-28 Protection of Information at Rest,N/A,N/A
+50,CNSWP v1.0,Compute,"Use SBOMs to identify current deployments of vulnerable libraries, dependencies, and packages",,CM-8 System Component Inventory,N/A,N/A
+51,CNSWP v1.0,Compute,Processes must execute only functions explicitly defined in an allow list,,CM-2 Baseline Configuration CM-7 Least Functionality,N/A,N/A
+52,CNSWP v1.0,Compute,Functions are not be allowed to make changes to critical file system mount points,,CM-5 Access Restrictions for Change,N/A,N/A
+53,CNSWP v1.0,Compute,Function access is only permitted to sanctioned services,Either through networking restrictions or least privilege in permission models,CM-2 Baseline Configuration CM-7 Least Functionality,N/A,N/A
+54,CNSWP v1.0,Compute,Egress network connection is monitored to detect and prevent access to C&C (command and control) and other malicious network domains,,SI-4 System Monitoring,N/A,N/A
+55,CNSWP v1.0,Compute,Ingress network inspection is employed detect and remove malicious payloads and commands,"For instance, SQL injection attacks can be detected using inspection.",SI-4 System Monitoring,N/A,N/A
+56,CNSWP v1.0,Compute,Serverless functions are run in tenant-based resource or performance isolation for similar data classifications,This may impact the performance due to limitations in the address space available to the isolation environment and should be considered for only the most sensitive workloads.,SC-7(21) Boundary Protection | Isolation of System Components,N/A,N/A
+57,CNSWP v1.0,Deploy,trust confirmation verifies the image has a valid signature from an authorized source,,"SR-4 (3) PROVENANCE | VALIDATE AS GENUINE AND NOT ALTERED
+SR-4 (4)  PROVENANCE | SUPPLY CHAIN INTEGRITY — PEDIGREE",N/A,N/A
+58,CNSWP v1.0,Deploy,Image runtime policies are enforced prior to deployment,,"SI-7 (17) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | RUNTIME APPLICATION SELF-PROTECTION",N/A,N/A
+59,CNSWP v1.0,Deploy,Image integrity and signature are verifying prior to deployment,,"SR-4 (3) PROVENANCE | VALIDATE AS GENUINE AND NOT ALTERED
+SR-4 (4)  PROVENANCE | SUPPLY CHAIN INTEGRITY — PEDIGREE",N/A,N/A
+60,CNSWP v1.0,Deploy,"Applications provide logs regarding authentication, authorization, actions, and failures",,CM-3 CONFIGURATION CHANGE CONTROL,N/A,N/A
+61,CNSWP v1.0,Deploy,Forensics capabilities are integrated into an incident response plan and procedures,,INCIDENT HANDLING | MALICIOUS CODE AND FORENSIC ANALYSIS,N/A,N/A
+62,CNSWP v1.0,Deploy,"AI, ML, or statistical modeling are used for behavioural and heuristic environment analysis",,SI-3 SYSTEM AND INFORMATION INTEGRITY,N/A,N/A
+63,CNSWP v1.0,Develop,Establish a dedicated Production environment,,SA-3(1) SYSTEM DEVELOPMENT LIFE CYCLE | MANAGE PREPRODUCTION ENVIRONMENT,N/A,N/A
+64,CNSWP v1.0,Develop,Leverage Dynamic deployments,"Blue/Green, Alpha/Beta, Canary, red-black deployments",SA-8(31) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | SECURE SYSTEM MODIFICATION,N/A,N/A
+65,CNSWP v1.0,Develop,Integrate vulnerability and configuration scanning in the IDE or at the pull request,,SA-11(1) DEVELOPER TESTING AND EVALUATION | STATIC CODE ANALYSIS,N/A,N/A
+66,CNSWP v1.0,Develop,"Establish dedicated development, testing, and production environment",,"SA-15 DEVELOPMENT PROCESS, STANDARDS, AND TOOLS",N/A,N/A
+67,CNSWP v1.0,Develop,Build tests for business-critical code,,SA-11 DEVELOPER TESTING AND EVALUATION,N/A,N/A
+68,CNSWP v1.0,Develop,Build tests for business-critical infrastructure,,SA-11 DEVELOPER TESTING AND EVALUATION,N/A,N/A
+69,CNSWP v1.0,Develop,Test suite able to be ran locally,,SA-11 DEVELOPER TESTING AND EVALUATION,N/A,N/A
+70,CNSWP v1.0,Develop,Test suites should be available to run in a shared environment,,SA-11 DEVELOPER TESTING AND EVALUATION,N/A,N/A
+71,CNSWP v1.0,Develop,Implement two non-author reviewers/approvers prior to merging,,SA-11(4) DEVELOPER TESTING AND EVALUATION | MANUAL CODE REVIEWS,N/A,N/A
+72,CNSWP v1.0,Develop,Code should be clean and well commented,,,N/A,N/A
+73,CNSWP v1.0,Develop,Full infrastructure tests are used,,SA-11 DEVELOPER TESTING AND EVALUATION,N/A,N/A
+74,CNSWP v1.0,Develop,Regression tests are used,,SA-11 DEVELOPER TESTING AND EVALUATION,N/A,N/A
+75,CNSWP v1.0,Develop,Test suites are updated against new and emerging threats and developed into security regressions tests,,SA-11 DEVELOPER TESTING AND EVALUATION,N/A,N/A
+76,CNSWP v1.0,Develop,Establish a dedicated Testing environment,,SA-3(1) SYSTEM DEVELOPMENT LIFE CYCLE | MANAGE PREPRODUCTION ENVIRONMENT,N/A,N/A
+77,CNSWP v1.0,Develop,Continuous integration server is isolated,,SC-39 PROCESS ISOLATION,N/A,N/A
+78,CNSWP v1.0,Develop,Use threat model results to determine ROI for test development,,SA-11(2) DEVELOPER TESTING AND EVALUATION | THREAT MODELING AND VULNERABILITY ANALYSES,N/A,N/A
+79,CNSWP v1.0,Distribute,Trust is verified,,,N/A,N/A
+80,CNSWP v1.0,Distribute,Artifacts ready for deployment are managed in a staging or pre-prod registry,,,N/A,N/A
+81,CNSWP v1.0,Distribute,container images are hardened following best practices,"Images contain least permissions to remain functional, do not allow for shell, do not include unnecessary libraries and dependencies, do not bind mount files in from the host, etc.",,N/A,N/A
+82,CNSWP v1.0,Distribute,Static application security testing (SAST) is performed,Linting & fuzzing is performed,,N/A,N/A
+83,CNSWP v1.0,Distribute,Test suites follow the test pyramid,,,N/A,N/A
+84,CNSWP v1.0,Distribute,Artifacts undergoing active development are held in a private registery,,,N/A,N/A
+85,CNSWP v1.0,Distribute,Scan application manifests in CI pipeline,,RA-5 VULNERABILITY MONITORING AND SCANNING,N/A,N/A
+86,CNSWP v1.0,Distribute,CI server's for sensitive workloads are isolated from other workloads,,SC-39 PROCESS ISOLATION,N/A,N/A
+87,CNSWP v1.0,Distribute,Builds requiring elevated privileges must run on dedicated servers,,SC-39 PROCESS ISOLATION,N/A,N/A
+88,CNSWP v1.0,Distribute,Build policies are enforced on the CI pipeline,,SA-1 POLICY AND PROCEDURES,N/A,N/A
+89,CNSWP v1.0,Distribute,Sign pipeline metadata,,"SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY",N/A,N/A
+90,CNSWP v1.0,Distribute,Build stages are verified prior to the next stage executing,,"SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY",N/A,N/A
+91,CNSWP v1.0,Distribute,Images are scanned within the CI pipeline,,"RA-5 VULNERABILITY MONITORING AND SCANNING
+SA-3 SYSTEM DEVELOPMENT LIFE CYCLE",N/A,N/A
+92,CNSWP v1.0,Distribute,Vulnerability scans are coupled with pipeline compliance rules,Prevent insecure images and artifacts from being deployed,SA-1 POLICY AND PROCEDURES,N/A,N/A
+93,CNSWP v1.0,Distribute,Dynamic application security testing (DAST) is performed,mocking,SA-11 (8) & (9) INTERACTIVE APPLICATION SECURITY TESTING,N/A,N/A
+94,CNSWP v1.0,Distribute,Application instrumentation is employed,,SI-4 SYSTEM MONITORING,N/A,N/A
+95,CNSWP v1.0,Distribute,Automated test results map back to requirements,"Requirements include feature, function, security, and complaince",,N/A,N/A
+96,CNSWP v1.0,Distribute,Infrastructure security tests must be employed,"firewall rules open to the world, overprivileged Identity & Access Management (IAM) policies, unauthenticated endpoints, etc",,N/A,N/A
+97,CNSWP v1.0,Distribute,Tests to verify the security health are executed at time of build and at time of deploy,to evaluate any changes or regressions that may have occurred throughout the lifecycle.,SI-4 SYSTEM MONITORING,N/A,N/A
+98,CNSWP v1.0,Distribute,IaC is subject to the same pipeline policy controls as application code,,,N/A,N/A
+99,CNSWP v1.0,Distribute,Security testing is automated,,"SA-11 DEVELOPER TESTING AND EVALUATION
+CA-8 PENETRATION TESTING",N/A,N/A
+100,CNSWP v1.0,Distribute,Registries require mutually authenticated TLS for all registry connections,,IA-3(1) CRYPTOGRAPHIC BIDIRECTIONAL AUTHENTICATION,N/A,N/A
+101,CNSWP v1.0,Distribute,image and metadata are signed,,"SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY",N/A,N/A
+102,CNSWP v1.0,Distribute,configuration is signed,,"SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY",N/A,N/A
+103,CNSWP v1.0,Distribute,package is signed,,"SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY",N/A,N/A
+104,CNSWP v1.0,Distribute,Validate integrity of images,,SI-7 SYSTEM & INFORMATION INTEGRITY,N/A,N/A
+105,CNSWP v1.0,Distribute,Scan images for vulnerabilities and malware,,"RA-5 VULNERABILITY MONITORING AND SCANNING
+SA-3 SYSTEM DEVELOPMENT LIFE CYCLE",N/A,N/A
+106,CNSWP v1.0,Distribute,Enable image signing key revokation in the event of compromise,,SI-7 SYSTEM & INFORMATION INTEGRITY,N/A,N/A
+107,CNSWP v1.0,Distribute,Security updates are prioritized,,SI-2(3) SYSTEM & INFORMATION INTEGRITY,N/A,N/A
+108,CNSWP v1.0,Distribute,HSMs or credential managers should be used for protecting credentials,,SC-12(3) SYSTEMS & COMMUNICATION PROTECTION,N/A,N/A
+109,CNSWP v1.0,Distribute,Container image scanning findings are acted upon,,SI-2(3) SYSTEM & INFORMATION INTEGRITY,N/A,N/A
+110,CNSWP v1.0,Distribute,organizational compliance rules are enforced,,PL-1 POLICY AND PROCEDURES,N/A,N/A
+111,CNSWP v1.0,Distribute,Incremental hardening of the infrastructure is employed,,,N/A,N/A
+112,CNSWP v1.0,Distribute,pulls from public registries are controlled and only from authorized engineers or internal registries,,AC-6(3) LEAST PRIVILEGE | NETWORK ACCESS TO PRIVILEGED COMMANDS,N/A,N/A
+113,CNSWP v1.0,Distribute,Image encryption is coupled with key management attestation and/or authorization and credential distribution,This restricts the image to only be deployed to authorized platforms. Container image authorization is useful for compliance use cases such as geo-fencing or export control and digital rights media management,"SC-12(2) CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | SYMMETRIC & ASYMMETRIC KEYS
+SC-12(3) CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | SYMMETRIC & ASYMMETRIC KEYS",N/A,N/A
+114,CNSWP v1.0,Distribute,At-risk applications are prioritized for remediation by the exploit maturity and vulnerable path presence in addition to the CVSS score,,SI-2(3) SYSTEM & INFORMATION INTEGRITY,N/A,N/A
+115,CNSWP v1.0,Security Assurance,Network policies enforce east-west network communication within the container deployment is limited to only that which is authorized for access,,AC-6(3) LEAST PRIVILEGE | NETWORK ACCESS TO PRIVILEGED COMMANDS,N/A,N/A
+116,CNSWP v1.0,Security Assurance,Incident reponse considers cloud native workloads,"workloads which may not always conform with some underlying assumptions about node isolation (new pod instances could run on a different server), networking (e.g. IP addresses are assigned dynamically) and immutability (e.g. runtime changes to container are not persisted across restarts)","IR-4 INCIDENT HANDLING | AUTOMATED INCIDENT HANDLING PROCESSES
+IR-4(5) INCIDENT HANDLING | AUTOMATIC DISABLING OF SYSTEM
+CA-7 CONTINUOUS MONITORING",N/A,N/A
+117,CNSWP v1.0,Security Assurance,Incident response accounts for appropriate evidence handling and collection of coud native workloads,,"IR-5(1) INCIDENT MONITORING | AUTOMATED TRACKING, DATA COLLECTION, AND ANALYSIS",N/A,N/A
+118,CNSWP v1.0,Security Assurance,Rootless builds are employed,,,N/A,N/A
+119,CNSWP v1.0,Security Assurance,cgroups and system groups are used to isolate workloads and deployments,,,N/A,N/A
+120,CNSWP v1.0,Security Assurance,MAC implementations are employed,"SELinux, AppArmor",AC-3(3) ACCESS ENFORCEMENT | MANDATORY ACCESS CONTROL,N/A,N/A
+121,CNSWP v1.0,Security Assurance,Threat model code and infrastructure, While various strategies are available, the MITRE ATT&CK matrix is an excellent starting point,,SA-11(2) DEVELOPER TESTING AND EVALUATION | THREAT MODELING AND VULNERABILITY ANALYSES,N/A,N/A
+122,CNSWP v1.0,Security Assurance,Entities are able to independently authenticate other identities,Public Key Infrastructure,IA-9 SERVICE IDENTIFICATION AND AUTHENTICATION,N/A,N/A
+123,CNSWP v1.0,Security Assurance,Each entity can create proof of who the identity is,,IA-9 SERVICE IDENTIFICATION AND AUTHENTICATION,N/A,N/A
+124,CNSWP v1.0,Security Assurance,"Orchestrator is running on an a trusted OS, BIOS, etc",,CM-14 SIGNED COMPONENTS,N/A,N/A
+125,CNSWP v1.0,Security Assurance,Orchestrator verifies the claims of a container,,SI-6 SECURITY AND PRIVACY FUNCTION VERIFICATION,N/A,N/A
+126,CNSWP v1.0,Security Assurance,Orchestrator network policies are used in conjunction with a service mesh,,,N/A,N/A
+127,CNSWP v1.0,Storage,Storage control plane management interface requires mutual authentication and TLS for connections,,SC-8 TRANSMISSION CONFIDENTIALITY AND INTEGRITY,N/A,N/A
+128,CNSWP v1.0,Storage,"Data availability is achieved through parity or mirroring, erasure coding or replicas",,SI-13 PREDICTABLE FAILURE PREVENTION,N/A,N/A
+129,CNSWP v1.0,Storage,"Hashing and checksums are added to blocks, objects or files","primarily designed to detect and recover from corrupted data, but can also add a layer of protection against the tampering of data.","CM-7 LEAST FUNCTIONALITY
+SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY",N/A,N/A
+130,CNSWP v1.0,Storage,Data backup storage locations employ like access controls and security policies to that of the data storage source,,"SA-9 EXTERNAL SYSTEM SERVICES
+SC-30 CONCEALMENT AND MISDIRECTION",N/A,N/A
+131,CNSWP v1.0,Storage,Secure erasure adhering to OPAL standards is employed for returned or non-functional devices,,"
+CP-9 SYSTEM BACKUP
+MP-6 MEDIA SANITIZATION",N/A,N/A
+132,CNSWP v1.0,Storage,"Encryption at rest considers data path, size, and frequency of access when determing additional security protections and cryptographic algorithms to employ","The encryption may be implemented in the storage client or storage server and granularity of the encryption will vary by system (e.g. per volume, per group or global keys)",SC-28 PROTECTION OF INFORMATION AT REST,N/A,N/A
+133,CNSWP v1.0,Storage,Caching is considered for determining encryption requirements in archictures,,,N/A,N/A
+134,CNSWP v1.0,Storage,Namespaces have defined trust boundaries to cordon access to volumes,,,N/A,N/A
+135,CNSWP v1.0,Storage,Security policies are used to prevent containers from accessing volume mounts on worker nodes,,"SC-7 BOUNDARY PROTECTION
+SA-8 SECURITY AND PRIVACY ENGINEERING PRINCIPLES
+CM-6 CONFIGURATION SETTINGS",N/A,N/A
+136,CNSWP v1.0,Storage,Security policies are used enforce authorized worker node access to volumes,,"SC-7 BOUNDARY PROTECTION
+SA-8 SECURITY AND PRIVACY ENGINEERING PRINCIPLES
+CM-6 CONFIGURATION SETTINGS",N/A,N/A
+137,CNSWP v1.0,Storage,Volume UID and GID are inaccessible to containers,,"AC-4 INFORMATION FLOW ENFORCEMENT
+AC-16 SECURITY AND PRIVACY ATTRIBUTES
+SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY",N/A,N/A
+138,CNSWP v1.0,Storage,Artifact registry supports OCI artifacts,,,N/A,N/A
+139,CNSWP v1.0,Storage,Artifact registry supports signed artifacts,,CM-14 SIGNED COMPONENTS,N/A,N/A
+140,CNSWP v1.0,Storage,Artifact registry verifies artifacts against organizational policies,,"AU-10 NON-REPUDIATION
+CM-6 CONFIGURATION SETTINGS",N/A,N/A
+141,SSCP v1.0,Securing Artefacts,Every step in the build process should be signed/attested for process integrity,The signing of artefacts should be performed at each stage of its life cycle. The final artefact bundle should include these collective signatures and itself be signed to give integrity to the completed artefact and all its associated metadata.,"SI-1 POLICY AND PROCEDURES
+SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY",Moderate to High,Moderate to High
+142,SSCP v1.0,Securing Artefacts,Every step in the build process should verify the previously generated signatures,"The integrity and provenance of images, deployment configuration, and application packages included in artefacts should all be validated using the signatures generated by each step in its build process to ensure compliance","SI-1 POLICY AND PROCEDURES
+SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY",Moderate to High,Moderate to High
+143,SSCP v1.0,Securing Artefacts,Use a framework to manage signing of artefacts.,Consider TUF/notary to sign OCI images. Notary makes use of a “root-of-trust” model to delegate trust from a single root to the individual teams or developers who sign artefacts. It uses additional metadata to allow clients to verify the freshness of content in a repository and protect against common attacks on update systems48. Clients can make use of public keys to verify the contents of the repository. ,IA-5 AUTHENTICATOR MANAGEMENT,Moderate to High,Moderate to High
+144,SSCP v1.0,Securing Artefacts,Use a store to manage attestations,Consider storing in-toto attestations in OCI registries alongside the image. Generated in-toto metadata needs to be stored and tracked for which a database or a dedicated store such as Grafeas can be used.,AC-4(6)	INFORMATION FLOW ENFORCEMENT | METADATA,Moderate to High,Moderate to High
+145,SSCP v1.0,Securing Artefacts,Limit which artefacts any given party is authorized to certify,"Trust should not be granted universally or indefinitely. Artefacts or metadata that a given party is trusted to certify should be restricted using selective trust delegations. Trust must expire at predefined intervals, unless renewed as weel as a party must only be trusted to perform the tasks assigned to it to ensure compartmentatlization",AC-6 LEAST PRIVILEGE,High,High
+146,SSCP v1.0,Securing Artefacts,Rotation and revokation of private keys should be supported,"The system must be prepared for when, not if, its private keys are compromised. The ability to rotate and revoke private keys must be built into the distribution mechanism. Additionally, multiple keys must be used for different tasks or roles, and a threshold of keys must be required for important roles. Finally, minimal trust must be placed in high-risk keys like those that are stored online or used in automated roles.",SC-12 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT,High,High
+147,SSCP v1.0,Securing Artefacts,Use a container registry that supports OCI image-spec images,An internal image registry should be deployed and configured to support internal artefact distribution with the security properties described in this section.,,High,High
+148,SSCP v1.0,Securing Artefacts,Encrypt artefacts before distribution & ensure only authorized platforms have decryption capabilities,"Ensure contents of the artefact remain confidential in transit and at rest, until it is consumed. These artefacts can be encrypted so that they are accessible by authorized parties, such as the clusters, vulnerability scanners, etc. t is recommended organizations use key management and distribution systems with identity and attestation mechanisms (e.g. SPIFFE/SPIRE)","SC-28(1)	PROTECTION OF INFORMATION AT REST | CRYPTOGRAPHIC PROTECTION
+SC-13 CRYPTOGRAPHIC PROTECTION
+SC-8 TRANSMISSION CONFIDENTIALITY AND INTEGRITY
+IA-5 AUTHENTICATOR MANAGEMENT
+SC-12 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT",High,High
+149,SSCP v1.0,Securing Build Pipelines,Cryptographically guarantee policy adherence,The presence and output of each build step should be attested during the build. The CNCF maintains the in-toto project that can be used to secure a chain of pipeline stages end-to-end with cryptographic guarantees. Build metadata should be evaluated against the policy template by using tools such as Open Policy Agent. ,CM-3(6)	CONFIGURATION CHANGE CONTROL | CRYPTOGRAPHY MANAGEMENT,High,High
+150,SSCP v1.0,Securing Build Pipelines,Validate environments and dependencies before usage,"The build environment’s sources and dependencies must come from a secure, trusted source of truth. Checksums and any signatures should be validated both in the downloading or ingestion process, and again by the build worker. This should include validating package manager signatures, checking out specific Git commit hashes, and verifying SHA sums of input sources and binaries. After completing this validation, the downloading process should sign all binaries or libraries it is adding to the secure source","CM-3(2)	CONFIGURATION CHANGE CONTROL | TESTING, VALIDATION, AND DOCUMENTATION OF CHANGES",Moderate to High,Moderate to High
+151,SSCP v1.0,Securing Build Pipelines,Validate runtime security of build workers,"Out-of-band verification of runtime environment security, as defined by execution of policies using tools such as seccomp, AppArmor, and SELinux, provides defense in depth against attacks on build infrastructure. High privilege kernel capabilities such as debugger, device, and network attachments should be restricted and monitored.",CM-3(4)	CONFIGURATION CHANGE CONTROL | SECURITY AND PRIVACY REPRESENTATIVES,Moderate to High,Moderate to High
+152,SSCP v1.0,Securing Build Pipelines,Validate build artefacts through verifiably reproducible builds,"A verifiably reproducible build is a build process where, given a source code commit hash and a set of build instructions, an end user should be able to reproduce the built artefact bit for bit.","CM-3(4)	CONFIGURATION CHANGE CONTROL | SECURITY AND PRIVACY REPRESENTATIVES
+CM-3(5)	CONFIGURATION CHANGE CONTROL | AUTOMATED SECURITY RESPONSE",High,High
+153,SSCP v1.0,Securing Build Pipelines,Lock and Verify External Requirements from the build process,,"CM-3(2)	CONFIGURATION CHANGE CONTROL | TESTING, VALIDATION, AND DOCUMENTATION OF CHANGES",Moderate to High,Moderate to High
+154,SSCP v1.0,Securing Build Pipelines,Find and Eliminate Sources of Non-Determinism,Reproducible-builds.org documents and offers solutions for many of these things. Diffoscope41 can be used to dig in and find the cause of differences when tracking down sources of non-determinism.,,Moderate to High,Moderate to High
+155,SSCP v1.0,Securing Build Pipelines,Record the Build Environment,Ensure best practices outlined in cloud native security paper are followed to deploy a secure orchestration layer,"CM-3(1)	CONFIGURATION CHANGE CONTROL | AUTOMATED DOCUMENTATION, NOTIFICATION, AND PROHIBITION OF CHANGES",High,High
+156,SSCP v1.0,Securing Build Pipelines,Automate Creation of the Build Environment,,CM-3(3)	CONFIGURATION CHANGE CONTROL | AUTOMATED CHANGE IMPLEMENTATION,High,High
+157,SSCP v1.0,Securing Build Pipelines,Distribute Builds across different infrastructure,,CM-3(3)	CONFIGURATION CHANGE CONTROL | AUTOMATED CHANGE IMPLEMENTATION,High,High
+158,SSCP v1.0,Securing Build Pipelines,Build and related CI/CD steps should be automated through a pipeline delivered as code,,"SA-3 SYSTEM DEVELOPMENT LIFE CYCLE
+SA-11 DEVELOPER TESTING AND EVALUATION",Moderate to High,Moderate to High
+159,SSCP v1.0,Securing Build Pipelines,Standardize pipelines across projects,,,Moderate to High,Moderate to High
+160,SSCP v1.0,Securing Build Pipelines,Provision a secured orchestration platform to host software factory,,,Moderate to High,Moderate to High
+161,SSCP v1.0,Securing Build Pipelines,Build workers should be single use,,AC-2 ACCOUNT MANAGEMENT,High,Moderate
+162,SSCP v1.0,Securing Build Pipelines,Ensure software factory has minimal network connectivity,"The software factory should have no network connectivity other than to connect to the trusted sources of hardened source code, the dependency repository and code signing infrastructure.",SC-7(3)	BOUNDARY PROTECTION | ACCESS POINTS,High,High
+163,SSCP v1.0,Securing Build Pipelines,Segregate the duties of each build worker,,AC-5 SEPARATION OF DUTIES,High,High
+164,SSCP v1.0,Securing Build Pipelines,Pass in build worker environment and commands,"Inorder to limit hostile tooling and persistent impants from attackers, a Build Worker should start with a clean and isolated environmment. It should not be able to pull its own environment. Ensure environment variables and commands are explicitly passed to avoid any complicated and opaque build process",CM-2(2) BASELINE CONFIGURATION | AUTOMATION SUPPORT FOR ACCURACY / CURRENC,High,High
+165,SSCP v1.0,Securing Build Pipelines,Write output to separate secured storage repo,The output artefact should be written to a separate shared storage from the inputs. A process separate from the Build Worker should then upload that artefact to an appropriate repository.,AU-9(2) PROTECTION OF AUDIT INFORMATION | STORE ON SEPARATE PHYSICAL SYSTEMS OR COMPONENTS,High,High
+166,SSCP v1.0,Securing Build Pipelines,Only allow pipeline modification through “pipeline as code”,The pipeline configuration (pipeline as code) should be immutable and any modification shouldn't be possible. This prevents attackers from interacting and modifying the configuration. This model then requires appropriate authentication and authorization to be in place for the software and configuration of the pipeline,,Moderate to High,Moderate to High
+167,SSCP v1.0,Securing Build Pipelines,Define user roles,,AC-2 ACCOUNT MANAGEMENT,Moderate to High,Moderate to High
+168,SSCP v1.0,Securing Build Pipelines,Follow established practices for establishing a root of trust from an offline source,,"SC-17 PUBLIC KEY INFRASTRUCTURE CERTIFICATES
+IA-5(2) AUTHENTICATOR MANAGEMENT | PUBLIC KEY-BASED AUTHENTICATION
+SA-8(10) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | HIERARCHICAL TRUST
+SR-4(4)        PROVENANCE | SUPPLY CHAIN INTEGRITY — PEDIGREE",High,High
+169,SSCP v1.0,Securing Build Pipelines,Use short-lived workload certificates,,"SC-23(5) SESSION AUTHENTICITY | ALLOWED CERTIFICATE AUTHORITIES
+SC-17 PUBLIC KEY INFRASTRUCTURE CERTIFICATES",High,High
+170,SSCP v1.0,Securing Deployments,Ensure clients can perform verification of artefacts and associated metadata,,"SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY",Moderate to High,Moderate to High
+171,SSCP v1.0,Securing Deployments,Ensure clients can verify the “freshness” of files,Ensure clients can access latest versions and can veriify if the provided files are out of date,"SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY",Moderate to High,Moderate to High
+172,SSCP v1.0,Securing Deployments,Use a framework for managing software updates,"Use TUF to enforce the updating of software. The Update Framework (TUF) is a specification for delivering software updates in a secure, reliable and trusted way",,High,High
+173,SSCP v1.0,Securing Materials,Verify third party artefacts and open source libraries,"All third party artefacts, open source libraries and any other dependencies should be verified as part of the continuous integration pipeline by validating their checksums against a known good source and validating any cryptographic signatures. Any software ingested must be scanned using Software Composition Analysis (SCA) and pentesting tools to detect whether any vulnerable open-source software is used in the final product.",SA-11 DEVELOPER TESTING AND EVALUATION,Moderate to High,Moderate to High
+174,SSCP v1.0,Securing Materials,Require SBOM from third party suppliers,"Where possible, vendors should be required to provide Software Bills of Materials (SBOMs) containing the explicit details of the software and versions used within the supplied product as it provides a clear and direct link to the dependencies.",CM-8 INFORMATION SYSTEM COMPONENT INVENTORY ,High,High
+175,SSCP v1.0,Securing Materials,Track dependencies between open source components,"A register should be maintained of a project’s open source components, dependencies and vulnerabilities to help trace any deployed artefacts with new vulnerabilities. One of the most popular open source inventory implementations is OWASP Dependency-Track.",CM-10 SOFTWARE USAGE RESTRICTIONS,Moderate to High,Moderate to High
+176,SSCP v1.0,Securing Materials,Build libraries based upon source code,,,High,High
+177,SSCP v1.0,Securing Materials,Define and prioritize trusted package managers and repositories,"Organizations should host their own package managers and artefact repositories, and restrict build machines to pull from only those sources.",,High,High
+178,SSCP v1.0,Securing Materials,Generate an immutable SBOM of the code,There are currently two well known SBOM specifications: SPDX34 and CycloneDX,,Moderate to High,Moderate to High
+179,SSCP v1.0,Securing Materials,Scan software for vulnerabilities,,"RA-5 VULNERABILITY MONITORING AND SCANNING
+SA-3 SYSTEM DEVELOPMENT LIFE CYCLE",Moderate to High,Moderate to High
+180,SSCP v1.0,Securing Materials,Scan software for license implications,Licensing obligations must also be factored into the ingestion process. The Linux Foundation maintains the Open Compliance Program36 which hosts several tools to ensure released software meets legal and regulatory compliance requirements.,CM-10 SOFTWARE USAGE RESTRICTIONS,Moderate to High,Moderate to High
+181,SSCP v1.0,Securing Materials,Run software composition analysis on ingested software,"The SCA tool will attempt to use heuristics to identify the direct and transitive dependencies, and can also serve as verification of SBOM content. This data will then be matched against data from a number of data feeds containing vulnerability data to highlight any vulnerabilities in the dependent packages.",SA-11 (1) (8) & (9) DEVELOPER TESTING AND EVALUATION,Moderate to High,Moderate to High
+182,SSCP v1.0,Securing the Source Code,Commits and tags are signed,GPG keys or S/MIME certificates are used to sign the source code,"SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY",Moderate to High,Moderate to High
+183,SSCP v1.0,Securing the Source Code,Enforce full attestation and verification for protected branches,Branch protection is enabled on the mainline and release branches with force push disabled,AC-6(3) LEAST PRIVILEGE | NETWORK ACCESS TO PRIVILEGED COMMANDS,High,High
+184,SSCP v1.0,Securing the Source Code,Secrets are not committed to the source code repository unless encrypted,"Implement tooling to detect secrets or to prevent certain files from being pushed which may contain plaintext sensitive materials, such as via a .gitignore and/or .gitattributes file, client-side hook (pre-commit), server-side hook (pre-receive or update), and/or as a step in the CI process","SC-12(3) SYSTEMS & COMMUNICATION PROTECTION
+SC-12(2) CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | SYMMETRIC & ASYMMETRIC KEYS",Moderate to High,Moderate to High
+185,SSCP v1.0,Securing the Source Code,The individuals or teams with write access to a repository are defined,Implement codeowners (or equivalent),"PL-1 POLICY AND PROCEDURES
+AC-3 ACCESS ENFORCEMENT",High,High
+186,SSCP v1.0,Securing the Source Code,Automate software security scanning and testing,"Security specific scans should be performed, including Static Application Security Tests (SAST) and Dynamic Application Security Tests (DAST). Both the coverage and results of these tests should be published as part of the repository information to help downstream consumers of software better assess the stability, reliability, and/or suitability of a product or library. ","RA-5 VULNERABILITY MONITORING AND SCANNING
+SA-3 SYSTEM DEVELOPMENT LIFE CYCLE",Moderate to High,Moderate to High
+187,SSCP v1.0,Securing the Source Code,Establish and adhere to contribution policies,"Define configuration options or configuration rules witthin SCM platforms allow repository administrators to enforce security, hygiene and operational policies.",PL-1 POLICY AND PROCEDURES,Moderate to High,Moderate to High
+188,SSCP v1.0,Securing the Source Code,Define roles aligned to functional responsibilities,"Define roles by using principle of least privileges to provide access based on function such as Developer, Maintainer, Owner, Reviewer, Approver, and Guest",PL-1 POLICY AND PROCEDURES,Moderate to High,Moderate to High
+189,SSCP v1.0,Securing the Source Code,Enforce an independent four-eyes principle,The author(s) of a request may not also be the approver of the request. At least two reviewers with equal or greater expertise should review & approve the request.,SA-11 DEVELOPER TESTING AND EVALUATION,Moderate to High,Moderate to High
+190,SSCP v1.0,Securing the Source Code,Use branch protection rules,"SCM platforms allow the configuration and restriction of source code operations on individual branches. Protection rules can be used to enforce the usage of pull requests with specified precondition and approval rules, ensuring that a human code review process is followed or an automated status checking of a branch occurs. Additionally, protected branches can be used to disallow dangerous use of force pushes26, preventing the overwrite of commit histories and potential obfuscation of code changes.",SA-8 SECURITY ENGINEERING PRINCIPLES,Moderate to High,Moderate to High
+191,SSCP v1.0,Securing the Source Code,Enforce MFA for accessing source code repositories,,IA-2(1) Identification and Authentication (organizational Users) | Multi-Factor Authenticaiton to Priviledged Accounts,Moderate to High,Moderate to High
+192,SSCP v1.0,Securing the Source Code,Use SSH keys to provide developers access to source code repositories,,AC-1 REMOTE ACCESS,Moderate to High,Moderate to High
+193,SSCP v1.0,Securing the Source Code,Have a key rotation policy,"It is recommended to implement a key rotation policy to ensure that compromised keys will cease to be usable after a certain period of time. When a private key is known to have been compromised, it should be revoked and replaced immediately to shut off access for any unauthorized user. Organizations may also consider using short lived certificates or keys, which reduces the reliance on certificate revocation systems.",AC-2(1) ACCOUNT MANAGEMENT | AUTOMATED SYSTEM ACCOUNT MANAGEMENT,Moderate to High,Moderate to High
+194,SSCP v1.0,Securing the Source Code,Use short-lived/ephemeral credentials for machine/service access,"Short-life credential issuance encourages the use of fine grained permissions and automation in provisioning access tokens. For CI/CD pipeline agents, short-lived access tokens should be considered instead of password-based credentials. The use of very short-lived tokens like OAuth 2.0, OpenID Connect, etc., will help to implement more secure access and increase the security assurance.",AC-2(1) ACCOUNT MANAGEMENT | AUTOMATED SYSTEM ACCOUNT MANAGEMENT,Moderate to High,Moderate to High
+195,CNSWP v1.0,Develop,Implement secure configuration as the default state of the system,Transitioning towards such a system involves making security a design requirement, inheriting default security configuration and supporting an exception process,SA-8(23) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | SECURE DEFAULTS,N/A,N/A
+196,CNSWP v1.0,Security Assurance,Adhere to supply chain security best practices,The SSCP controls in this document provide the necessary controls for best practices,,,N/A,N/A
+197,CNSWP v1.0,Security Assurance,Adhere to GitOps best practices for development and deployments,The "Security the Source Code" SSCP controls provide the necessary GitOps best practices,,N/A,N/A