Project
A cybersecurity requirements traceability matrix for hybrid cloud security architectures.
A cybersecurity requirements traceability matrix. It enumerates 1157 sub-element security requirements, each anchored to the publicly available, authoritative federal cybersecurity guidance: NIST SP 800-53 Rev 5, CSF 1.1 (with CSF 2.0 annotations), CSSP Evaluator Scoring Metrics v11 (CSSP-ESM), CSSP Alignment Risk Validation V1 (CSSP-CARV), DoD Zero Trust Reference Architecture v2, CORA Evaluation Criteria, DoD Cyber Reference Architecture v5, DoDM 8530.01 and related DoD cyber doctrine, OMB M-21-31 / M-22-09, DoD Cloud SRG, DISA SCCA, and applicable Network/Boundary STIGs.
The 1157 sub-elements decompose 35 hybrid cloud security capabilities (SIEM, EDR, MDM, etc.) across the seven DoD Zero Trust pillars.
A practitioner's hybrid cloud security architecture analysis has to answer one question repeatedly: for capability X, what does authoritative guidance require, and what does the architecture choice (Course of Action) discriminate? This matrix answers that question for the 35 commonly-deployed security capabilities required to model DoD reference architectures.
The various sources of guidance available from https://csiac.dtic.mil/resources/the-dod-cybersecurity-policy-chart/ detail various components of the requirements, but they're fractured by design. Even comprehensive sources, like the control catalog from NIST SP 800-53 don't include the architectural decisions needed. DISA SRGs & STIGs don't cover policy and don't go deep enough on architecture. I needed something that combined them all and provided a pivot-table-like view of the security requirements - at sufficient depth to analyze various approaches to security design across on-prem, cloud, hybrid, & multi-cloud environments. So I built this.