Skip to content

Policy and Inventory

A secure cloud service offering will have intentional, organized, universal guidance for how every information resource, including personnel, is secured.

Generating Inventories

KSI-PIY-GIV

Former ID: KSI-PIY-01

Changelog:

  • 2026-02-04: Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes.

Use authoritative sources to automatically generate real-time inventories of all information resources when needed.

Related SP 800-53 Controls: CM-2.2, CM-7.5, CM-8, CM-8.1, CM-12, CM-12.1, CP-2.8

Terms: Information Resource

Reviewing Executive Support

KSI-PIY-RES

Former ID: KSI-PIY-08

Changelog:

  • 2026-02-04: Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes.

Persistently review executive support for achieving the organization's security objectives.

Terms: Persistently

Reviewing Investments in Security

KSI-PIY-RIS

Former ID: KSI-PIY-06

Changelog:

  • 2026-02-04: Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes.

Persistently review the effectiveness of the organization's investments in achieving security objectives.

Related SP 800-53 Controls: AC-5, CA-2, CP-2.1, CP-4.1, IR-3.2, PM-3, SA-2, SA-3, SR-2.1

Terms: Persistently

Reviewing Security in the SDLC

KSI-PIY-RSD

Former ID: KSI-PIY-04

Changelog:

  • 2026-02-04: Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes.

Persistently review the effectiveness of building security and privacy considerations into the Software Development Lifecycle and aligning with CISA Secure By Design principles.

Related SP 800-53 Controls: AC-5, AU-3.3, CM-3.4, PL-8, PM-7, SA-3, SA-8, SC-4, SC-18, SI-10, SI-11, SI-16

Terms: Persistently

Reviewing Vulnerability Disclosures

KSI-PIY-RVD

Former ID: KSI-PIY-03

Changelog:

  • 2026-02-04: Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes.

Persistently review the effectiveness of the provider's vulnerability disclosure program.

Related SP 800-53 Controls: RA-5.11

Terms: Persistently, Vulnerability