KSI-CNA-MAT—Minimizing Attack Surface
Formerly KSI-CNA-02
>Control Description
>NIST 800-53 Controls
>Trust Center Components3
Ways to express your implementation of this indicator — approaches vary by organization size, complexity, and data sensitivity.
From the field: Mature implementations express availability through live uptime dashboards — synthetic monitoring feeding SLA compliance metrics continuously, with historical data showing trend lines over months and years. Availability becomes a continuously verified property with transparent incident impact tracking, not just a contractual number in an SLA document.
Uptime and Availability Dashboard
Dashboard expressing availability posture — uptime metrics, SLA compliance trends, and incident impact as live indicators
Service Level Agreements
Published SLAs for availability, performance, and support response times
Maintenance Window Policy
Human-readable maintenance window schedule and notification procedures
>Programmatic Queries
CLI Commands
aws ec2 describe-security-groups --query "SecurityGroups[?IpPermissions[?IpRanges[?CidrIp=='0.0.0.0/0']]].{Name:GroupName,Id:GroupId}" --output tableaws ec2 describe-instances --query "Reservations[].Instances[?PublicIpAddress!=null].{Id:InstanceId,PublicIP:PublicIpAddress,State:State.Name}" --output table>20x Assessment Focus Areas
Aligned with FedRAMP 20x Phase Two assessment methodology
Completeness & Coverage:
- •Does your attack surface minimization apply to all machine-based resource types — including containers, serverless functions, managed services, and build/CI infrastructure?
- •Are there resources with open ports, enabled services, or default features that are not required for their function, and how are those documented?
- •How do you ensure lateral movement prevention extends across all network segments, including between workloads, between environments (dev/staging/prod), and between cloud accounts?
- •When new resources are deployed, what gate ensures they meet hardening baselines before receiving production traffic?
Automation & Validation:
- •What automated scanning validates that resources have minimal attack surface (open ports, enabled services, installed packages) and what happens when a violation is found?
- •How do you test lateral movement prevention — do you run penetration tests or breach simulation tools that attempt east-west movement from a compromised resource?
- •What happens if a network segmentation rule is misconfigured and allows unintended traffic between segments — how is it detected and corrected?
- •What automated mechanisms disable or remove unnecessary services, default accounts, and unused features on newly deployed resources?
Inventory & Integration:
- •How do you maintain an inventory of all exposed services, ports, and endpoints across your authorization boundary?
- •What tools enforce hardening baselines at deployment time (golden images, admission controllers) versus detect deviations at runtime (vulnerability scanners, CSPM)?
- •How does your micro-segmentation or network policy tool integrate with your workload inventory to automatically apply appropriate traffic restrictions?
- •Are hardening baselines and segmentation policies stored as code and versioned alongside infrastructure definitions?
Continuous Evidence & Schedules:
- •How do you continuously demonstrate that attack surface remains minimal rather than growing over time?
- •What evidence shows that lateral movement prevention controls are tested regularly, not just at initial deployment?
- •Is attack surface data (open ports, exposed services, segmentation compliance) available via API for ongoing assessment?
- •How do you detect attack surface expansion — new ports opened, new services enabled, segmentation relaxed — between formal review cycles?
Update History
Ask AI
Configure your API key to use AI features.