An open, implementation-neutral architecture for continuously verifiable trust across cloud and AI workloads.
Framework for Continuous Remote Attestation
Confidential computing has transformed cloud security by enabling workloads to run inside hardware-protected trusted execution environments (TEEs). But most attestation models still verify trust only at boot. That model is no longer sufficient.
A workload that begins in a trusted state can still be compromised at runtime through unauthorized code changes, kernel-level attacks, data exfiltration, or AI model manipulation. In modern Zero Trust environments, trust cannot be static. It must be continuously verified.
To address this gap, MITRE convened the Confidential Computing Layered Attestation Working Group to advance a new model for attestation.
The resulting Framework for Continuous Remote Attestation introduces an open, implementation-neutral architecture for ongoing, hardware-rooted verification across cloud and edge environments. The framework extends attestation beyond startup measurements to include runtime integrity, behavioral assurance, attested transport binding, and AI workload verification.
While launch-time attestation has become foundational to confidential computing, continuous attestation at runtime remains largely undefined. This effort helps establish a common architectural foundation for interoperable, continuously verifiable trust across modern cloud and AI systems.
The core specification, Framework for Continuous Remote Attestation in Confidential Computing Environments, Version 0.9.6, serves as the normative foundation of the effort.
Three accompanying informative documents provide additional guidance for implementation and compliance practitioners:
- Annex A: Compliance Control Mapping Methodology illustrates mappings to frameworks including NIST SP 800-171/CMMC 2.0, NIST SP 800-53, HIPAA, PCI DSS, and SOC 2.
- Annex B: Provider Attestation Service Architecture addresses the integration of Cloud Service Provider with the frameworks evidence layers, trust anchor types, and provider stances.
- Annex C: Threat Model defines the adversary model, assumptions, and threat matrix used throughout the framework.
How to Participate
The Public Review Draft is open for written feedback. We are soliciting comments on the technical content, architectural decisions, evidence model completeness, and standards alignment. This is a learning phase — the working group will review all submissions and incorporate community input into the next revision.
To submit feedback or get involved in this initiative, email CloudSec@mitre.org with the subject line: CRA Framework v0.9.6 — [Your Organization] — [Section Number(s)]
The deadline to submit feedback on v0.9.6 is August 31, 2026. All feedback is subject to release under applicable public disclosure policies.
About the Working Group
The Confidential Computing Layered Attestation Working Group was convened to address the industry’s lack of a standardized approach to continuous remote attestation.
The working group brings together contributors from across the confidential computing ecosystem, including founding collaborators MITRE, Fr0ntierX, and Invary.
MITRE
MITRE operates federally funded research and development centers on behalf of U.S. government sponsors. MITRE contributes formal methods expertise, Zero Trust and regulatory domain knowledge, and a public-interest mission focused on developing interoperable approaches that benefit the broader ecosystem.
Fr0ntierX
Fr0ntierX develops the Polaris confidential computing platform for cloud workloads. The company contributes practical deployment experience in hardware-rooted continuous attestation, multi-cloud confidential computing environments, attested transport binding, and runtime monitoring across production TEE platforms.
Invary
Invary provides kernel runtime integrity verification technology designed to detect sophisticated runtime threats, including advanced kernel memory manipulation and DKOM-style rootkits. Invary contributes deep runtime integrity expertise within the framework’s layered attestation architecture.