diff --git a/source/clear-linux/concepts/concepts.rst b/source/clear-linux/concepts/concepts.rst
index 496e31e5..3f78eda3 100644
--- a/source/clear-linux/concepts/concepts.rst
+++ b/source/clear-linux/concepts/concepts.rst
@@ -15,4 +15,5 @@ details relevant to the |CL| features.
bundles-about
autospec-about
restart
+ security
telemetry-about
diff --git a/source/clear-linux/concepts/security.rst b/source/clear-linux/concepts/security.rst
new file mode 100644
index 00000000..9bfe90ff
--- /dev/null
+++ b/source/clear-linux/concepts/security.rst
@@ -0,0 +1,204 @@
+.. _security:
+
+Clear Linux\* OS Security
+**********************
+
+Clear Linux\* OS aims to make systemic and layered security-conscious decisions
+that are both performant and practical. This security philosophy is rooted
+within the project's codebase and operating culture.
+
+
+.. contents:: :local:
+ :depth: 2
+
+
+
+Security in Updates
+===================
+
+The |CL| team believes in the benefits of
+software security through open sourcing, incremental updates, and
+rapidly resolving known security advisories.
+
+
+
+The latest Linux codebase
+-------------------------
+
+|CL| uses the newest version of the Linux kernel which allows the operating
+system to leverage the latest features from the upstream Linux kernel,
+including security fixes.
+
+
+
+
+Automated Effective Updating
+----------------------------
+
+|CL| is incrementally updated multiple times per day.
+
+This `rolling release model`_ allows |CL| to consume the latest security
+fixes of software packages as soon as they become available.
+There is no waiting for major or minor releases on |CL|.
+
+An update is not effective if it is just simply downloaded onto a system.
+It needs to be obtained *AND* ensured that the new patched copy is being
+used; not an older copy loaded into memory. |CL| will let you know when a
+service needs to be rebooted or do it for your automatically after
+a software update, if desired.
+
+
+In |CL| updates are delivered automatically, efficiently,
+and effectively. For more information see
+`documentation about Software Updates`_ in |CL|.
+
+
+
+
+
+Automated CVE Scanning and Remediation
+--------------------------------------
+
+The sheer number of software packages and security vulnerabilities is growing
+exponentially. Repositories of Common Vulnerabilities and Exposures (CVEs)
+and their fixes, if known, are published by :abbr:`NIST` in a
+National Vulnerability Database \ |NVD|\ and at \ |MITRE|\ .
+
+
+|CL| employs a proactive and measured approach to addressing known
+and fixable :abbr:`CVEs (Common Vulnerabilities and Exposures)`.
+Packages are automatically scanned against
+:abbr:`CVEs (Common Vulnerabilities and Exposures)` daily, and security
+patches are deployed as soon as they are available.
+
+These combined practices minimize the amount of
+time |CL| systems are exposed to unnecessary security risk.
+
+
+
+
+
+Security in Software
+====================
+
+
+Minimized attack surface
+-------------------------
+
+|CL| removes legacy, unneeded, or redundant standards and
+components as much as possible to enable the use of best known security
+standards. Below are some examples:
+
+* `RC4`, `SSLv3`, `3DES`, and `SHA-1` ciphers which have had known
+ vulnerabilities, have been explicitly disabled within many |CL| packages to
+ avoid their accidental usage.
+
+* Services and subsystems which expose sensitive system information
+ have been removed such as the `finger` and `tcpwrappers`.
+
+* `SFTP` has been disabled by default due to security
+ considerations. See the `openssh-server reference page`_ for more details.
+
+
+Verified trust
+--------------
+
+|CL| encourages the use of secure practices such as encryption
+and digital signature verification throughout the system and discourages blind
+trust. Below are some examples:
+
+* All update operations from swupd are transparently encrypted and checked
+ against the |CL| maintainers' public key for authenticity.
+ More information can be found in this blog post:
+ `blog post about swupd security`_
+
+* Before being built, packages available from |CL| verify checksums and
+ signatures provided by third party project codebases and maintainers.
+
+* |CL| features a unified certificate store, `clrtrust`_ which comes
+ ready to work with well-known Certificate Authorities out of the box.
+ `clrtrust`_ also offers an easy to use command line interface for managing
+ system-wide chains of trust, instead of ignoring foreign certificates.
+
+
+
+
+
+
+Compiled with secure options
+----------------------------
+
+While |CL| packages are optimized for performance on
+IntelĀ® architecture, security conscious kernel and compiler options are
+sensibly taken advantage of. Below are some examples:
+
+
+* Kernels shipped with Clear Linux are signed and disallow the usage of
+ custom kernel modules to maintain verifiable system integrity.
+
+* `Address space layout randomization (ASLR)`_ and
+ `Kernel address space layout randomization (KASLR)`_ are kernel features
+ which defend against certain memory based attacks.
+ More information can be found in a `blog post about PIE executables`_ .
+
+* `dm-verity`_ is a kernel mechanism readily available in |CL|
+ which verifies integrity of the devices being written to, like hard disks,
+ to help ensure they have not been tampered with.
+
+
+
+
+
+Security in System Design
+=========================
+
+Simple, yet effective, techniques are used throughout the
+|CL| system design to defend against common attack vectors and enable
+good security hygiene. Below are some examples:
+
+
+* Full disk encryption using `Linux Unified Key Setup`_ (LUKS) is available
+ during installation.
+
+* |CL| uses the PAM cracklib module to harden user login and password
+ security resulting in:
+
+ - No default username or root password set out of the box with
+ |CL|, you will be asked to set your own password immediately.
+
+ - Simple password schemes, which are known to be easily compromised,
+ cannot be set in |CL|.
+
+ - A password blacklist, to avoid system passwords being set to
+ passwords which have been compromised in the past.
+
+* `Tallow`_, a lightweight service which monitors and blocks suspicious SSH
+ login patterns, is installed with the :command:`openssh-server` bundle.
+
+
+
+
+
+
+.. _`documentation about Software Updates`: https://clearlinux.org/documentation/clear-linux/concepts/swupd-about
+.. _`cve-check-tool`: https://github.com/clearlinux/cve-check-tool
+.. _`openssh-server reference page`: https://clearlinux.org/documentation/clear-linux/reference/bundles/openssh-server
+.. _`blog post about swupd security`: https://clearlinux.org/blogs/security-software-update-clear-linux-os-intel-architecture
+.. _`rolling release model`: https://en.wikipedia.org/wiki/Rolling_release
+.. _`clrtrust`: https://github.com/clearlinux/clrtrust
+.. _`Address space layout randomization (ASLR)`: https://en.wikipedia.org/wiki/Address_space_layout_randomization
+.. _`Kernel address space layout randomization (KASLR)`: https://lwn.net/Articles/569635/
+.. _`dm-verity`: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/device-mapper/verity.txt
+.. _`SELinux`: https://github.com/SELinuxProject
+.. _`Linux Unified Key Setup`: https://gitlab.com/cryptsetup/cryptsetup/
+.. _`blog post about PIE executables`: https://clearlinux.org/blogs/recent-gnu-c-library-improvements
+.. _`Tallow`: https://github.com/clearlinux/tallow
+
+.. |NVD| raw:: html
+
+ https://nvd.nist.gov/
+
+.. |MITRE| raw:: html
+
+ https://cve.mitre.org/
+