I not positive, but I think that one of the NSA’s guidance documents has been recently updated:
BOOT SECURITY MODES AND RECOMMENDATIONS
Modern computing platforms provide a variety of boot options. The security implications, advantages, and disadvantages are rarely identified in documentation. Some configuration options, such as Secure Boot and Trusted Platform Module (TPM) 1 may appear redundant despite serving complementary roles. Six different configurations are compared below. Recommendations for different use cases are presented at the end of this document.