Cloud Native Architecture — FedRAMP KSI Domain
Generated from the official FedRAMP/docs GitHub repo. Source path:
FRMR.documentation.jsononmainat blob5c6bfee74029. FRMR version:0.9.43-beta· upstreamlast_updated:2026-04-08. The officialFedRAMP/rulesrepo exists, but grclanker still treatsFedRAMP/docsas the active source until structured rules land there.
Cloud Native Architecture
Domain code: CNA · Domain ID: KSI-CNA · Web slug: cloud-native-architecture
Theme
A secure cloud service offering will use cloud native architecture and design principles to enforce and enhance the confidentiality, integrity and availability of the system.
Indicators
KSI-CNA-DFP (formerly KSI-CNA-04) — Defining Functionality and Privileges
Strictly define the functionality and privileges for infrastructure and services.
Mapped Rev5 controls: cm-2, si-3
Recent update: 2026-02-04 — Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes.
KSI-CNA-EIS (formerly KSI-CNA-08) — Enforcing Intended State
Mapped Rev5 controls: ca-2.1, ca-7.1
Terms: Information Resource, Machine-Based (information resources), Persistently
Recent update: 2026-02-04 — Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes.
KSI-CNA-IBP (formerly KSI-CNA-07) — Implementing Best Practices
Persistently ensure cloud-native machine-based information resources are implemented based on the host provider’s best practices and documented guidance.
Mapped Rev5 controls: ac-17.3, cm-2, pl-10
Terms: Information Resource, Machine-Based (information resources), Persistently
Recent update: 2026-02-04 — Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes.
KSI-CNA-MAT (formerly KSI-CNA-02) — Minimizing Attack Surface
Persistently ensure machine-based information resources have a minimal attack surface and that lateral movement is minimized if compromised.
Mapped Rev5 controls: ac-17.3, ac-18.1, ac-18.3, ac-20.1, ca-9, sc-7.3, sc-7.4, sc-7.5, sc-7.8, sc-8, sc-10, si-10, si-11, si-16
Terms: Information Resource, Machine-Based (information resources), Persistently
Recent update: 2026-02-04 — Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes.
KSI-CNA-OFA (formerly KSI-CNA-06) — Optimizing for Availability
Appropriately optimize machine-based information resources for high availability and rapid recovery.
Terms: Information Resource, Machine-Based (information resources)
Recent update: 2026-02-04 — Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes.
KSI-CNA-RNT (formerly KSI-CNA-01) — Restricting Network Traffic
Persistently ensure all machine-based information resources are configured to limit inbound and outbound network traffic.
Mapped Rev5 controls: ac-17.3, ca-9, cm-7.1, sc-7.5, si-8
Terms: Information Resource, Machine-Based (information resources), Persistently
Recent update: 2026-02-04 — Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes.
KSI-CNA-RVP (formerly KSI-CNA-05) — Reviewing Protections
Persistently review the effectiveness of protection against denial of service attacks and other unwanted activity.
Mapped Rev5 controls: sc-5, si-8, si-8.2
Terms: Persistently
Recent update: 2026-02-04 — Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes.
KSI-CNA-ULN (formerly KSI-CNA-03) — Using Logical Networking
Use logical networking and related capabilities to enforce traffic flow controls.
Mapped Rev5 controls: ac-12, ac-17.3, ca-9, sc-4, sc-7, sc-7.7, sc-8, sc-10
Recent update: 2026-02-04 — Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes.