Compliance Working Group

Cloud Native systems shift technical and human workflows. The community has researched cloud native security, tackling software vulnerabilities, risk management, dependencies, GitOps, supply chain provenance, malicious attacks, threat models, and security assessments. Organizations must comply with privacy and data protection laws, ensuring compute and data integrity. These concerns require both technical configurations and complex human orchestration, especially for audits needing reviewable artifacts.

Bridging technical issues with legal and regulatory workflows, the aim to prevent system breaches while addressing supply chain, operator, data, and AI failures. Focusing on auditability, non-repudiation, and forensic evidence, it plans to curate vendor-neutral tools for evidence collection, chain-of-custody in audits, and automated workflows for continuous compliance.

The key focus areas include:

Creating a knowledge base and case studies on operating a cloud native environment within legal and regulatory requirements. These requirements encompass not just technical security but also human activities, system availability, continuity of operations, and data location, sovereignty, and provenance.

Generating compliance as code examples, templates, and tools for automating both technical and non-technical requirements, control assessment, data analysis, audit, and compliance remediation workflows benefiting CNCF projects and their users.

Reviewing industry and governmental standards (e.g., NIST, PCI, HIPAA) from a cloud native perspective and advising the CNCF community on implementing and supporting these compliance requirements to enable best practice adoption by various organizations.

Responsibilities

  • Users/personas/needs/customer demands for industry and regulatory compliance (both human and technical)
  • Identifications of areas of focus e.g. human workflows, automated workflows, analytical tools, audit and assessment tools, technical security controls that cut across components and systems and clouds, etc
  • Framework for evaluation, audit and reporting - how do products and tools demonstrate compliance?
  • Training and automation - what is missing, what is difficult to understand, what knowledge gaps are there?
  • Work on integrating common tooling across different projects, particularly where that tooling is a CNCF project (but the targets may not be)
  • Cross project focus on the projects and efforts the CNCF is funding, helping projects identify needs and providing subject matter expertise to assist
  • Recommendations of integrating security tooling with compliance tooling and processes - making both the synergies and unique separations of concern explicit and achieving community consensus.
  • Growing CNCF external relationships with interested parties, e.g. NIST and other compliance standards bodies such as FINOS, OSCAL, OpenSSF

Meeting Information

Contact

  • Leads: Anca Sailer (@ancatri), Robert Ficcaglia (@rficcaglia)