The CNCF space is growing fast, now we have thousands of projects that power everything from container orchestration to service mesh technologies, and with each day that number keeps mounting. But with rapid growth comes a big challenge: how to make sure all of these critical building blocks are secure?
This is where TAG Security and Compliance comes in. One of our most impactful contributions to the community is the joint assessment process, a chance to work side by side with security experts who care about helping projects succeed.
What Exactly Is a Joint Assessment?
A joint assessment is a conversation, not a test. Project maintainers team up with security experts from TAG Security and Compliance to look at architecture, threat models, and security controls together. The process usually includes:
- Collaborative review: Going through documentation, designs, and security approaches as a team
- Open discussions: Talking through trade-offs, decisions, and possible gaps
- Actionable feedback: Practical recommendations that fit the project’s context (not just generic best practices)
- Knowledge sharing: Maintainers learn more about security, and security folks learn more about the project domain
The outcome is that projects walk away stronger, better prepared, and more confident in their security posture.
How Is It Different from Security Audits?
Projects usually think about three types of security checks:
Self-assessments: Great for reflection, but they can miss blind spots since the team is judging its own work.
Audits: Thorough and often required for compliance or funding, but they’re expensive, rigid, and can feel like high-stakes exams. Audits are specific to the code and so become out-of-date once you change your code base.
Joint assessments: Sitting comfortably in the middle. They’re collaborative, flexible, and designed to build both security and community knowledge. They provide guidance about how to design the project to have the strongest security possible.
Self-Assessment
A self-assessment is exactly what it sounds like: your project team evaluating your own security practices. Self assessments are a useful exercise for reviewing your project’s security, and also serve as a starting point for the joint assessment process. Using the guidelines we provide as a template, you’ll document your architecture, identify potential threats, and assess your current security controls. It is introspective work that helps you understand where you stand. The benefits are clear: you get familiar with security terminology, start thinking systematically about threats, and create documentation that will serve you well later. But self-assessments have natural limitations. Teams can miss blind spots in their own work, lack specialized security expertise, or struggle to prioritize findings effectively.
Joint Assessment
This is where joint assessments shine. Rather than replacing self-assessment work, joint assessments build directly upon it. Your initial self-assessment becomes the foundation for collaborative discussions with Tag Security and Compliance experts. In some ways, you can view a joint assessment as guiding you to make a stronger self-assessment.
Think of it this way: the self-assessment gives everyone a common starting point and shared vocabulary. When Tag Security and Compliance reviewers join the conversation, they can quickly understand your architecture and focus their expertise on the areas where you need the most help. Instead of starting from scratch, you’re having an informed discussion about specific challenges and trade-offs.
Why Should a Project Care?
For maintainers, the benefits of a joint assessment are immediate. They help teams catch issues early before they grow into serious problems, while also building lasting security know-how that the whole team can apply long after the process ends. Completing an assessment demonstrates a project’s commitment to security, strengthening its credibility within the community, and it also makes future audits far easier by ensuring documentation and practices are already in place. At the ecosystem level, every joint assessment contributes to a stronger CNCF community by reducing shared risks, improving collective practices, and giving organizations greater confidence in adopting cloud native projects.
The Hidden Advantage: Audit Readiness
One of the most overlooked benefits of joint assessments is how much easier they make future audits. Because documentation is already organized and common issues have been addressed, projects enter the audit process in a far stronger position. Security practices are typically more mature and well documented, which means auditors can spend less time digging and more time validating improvements. The result is a smoother, less stressful process that often saves both time and money. In many ways, a joint assessment acts like a practice run that prepares projects for the real thing.
Clearing Up Myths
Some projects hesitate to engage with joint assessments, but the most common concerns don’t really hold up. Many believe they are too early-stage, when in fact early engagement is the best time to establish strong security habits before things get complicated. Others worry that they lack security expertise, but that’s precisely the point as Tag Security and Compliance provides the expertise so teams can learn while improving their project. Concerns about time investment are also misplaced, since joint assessments are far lighter than full audits while offering significant value. And waiting until later often means facing more expensive and painful fixes, whereas starting early saves effort and cost down the road.
How to Get Started
Getting started with a joint assessment is simpler than many expect. Projects can begin by reaching out on the CNCF Slack or attending a Tag Security and Compliance meeting to express interest. From there, maintainers should gather whatever architecture diagrams or documentation they already have and identify a couple of contributors who can join the discussions. Creating a self-assessment from these documents provides a foundation for the upcoming joint assessment. Then together with the Tag Security and Compliance team, projects can then agree on a realistic timeline that works for everyone. The important thing is not to wait until everything feels perfect or fully prepared, the process is designed to meet projects where they are.
The Bigger Picture
The growth of cloud native depends on more than speed and innovation. It depends on trust. Security is the foundation that allows organizations to adopt these technologies with confidence. Joint assessments are a way to build that trust together. They strengthen individual projects, help teams grow their expertise, and make the entire ecosystem safer. It’s not just about checking a box, it’s about creating a culture where security is a shared community value. So, if you’re maintaining a cloud native project, the support is here, the process is approachable, and the benefits ripple far beyond your own repo.
The CNCF community is ready to help you take that step!
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.