The Cloud Security Alliance (CSA), the world's leading organization dedicated to defining standards, certifications and best practices to help ensure a secure cloud computing environment, announced the availability of version 4 of the Cloud Controls Matrix (CCM), CSA's flagship cybersecurity framework for cloud computing. The CCM v4 includes additional cloud security and privacy-related controls and encompasses coverage of requirements deriving from new cloud technologies, improved control auditability, enhanced interoperability and compatibility with other standards, and expanded support offerings to navigate the cloud shared responsibility model.
CCM is a cybersecurity control framework for cloud computing that aligns to the CSA Best Practices and is considered the de-facto standard for cloud security and privacy. CCM v4 constitutes a significant upgrade to the previous version (v3.0.1) by introducing changes in the framework structure with a new domain dedicated to Logging and Monitoring (LOG), and modifications in the existing ones including governance, risk and compliance (GRC); auditing and assurance (A&A); unified endpoint management (UEM); and cryptography, encryption and key management (CEK).
"CSA's Cloud Controls Matrix continues to lead the security industry and market as the cloud provider and user-centric control framework of choice. With an increasingly complex array of cloud technologies, controls, and frameworks, it's vital that cloud customers have clear, definitive insight into the risks, roles, and responsibilities to which they and their chosen cloud service provider must adhere," said Jim Reavis, co-founder and CEO, Cloud Security Alliance.
The CCMv4 was developed by an expert group of more than 70 practitioners and industry leaders representing key cloud stakeholders, among them cloud service providers, cloud customers, auditors, and consulting firms. It features 17 domains, up one from the previous iteration, and a total of 197 controls (up from 133). In early February, the 64 new controls will be accompanied by mappings with ISO/IEC 27001-2013, ISO/IEC 27017-2015, ISO/IEC 27018-2019, AICPA TSC v2017, and CCM V3.0.1.
"The world is changing at rapid-fire pace, and cloud security providers are having to not only keep pace but stay one step ahead. CCMv4 provides enterprises with an additional layer of transparency and confidence that their CSPs are following recommended security best practices," said Daniele Catteddu, Chief Technology Officer, Cloud Security Alliance.
In addition to the set of core controls, CCMv4 will roll out additional components over the coming year:
- CCM Implementation Guidelines: Guidance to support the implementation of CCM controls. (Tentative release date: early Q2 2021).
- Consensus Assessments Initiative Questionnaire (CAIQ): Questionnaire related to CCM controls (Tentative release date: early Q2 2021)
- Control Applicability Matrix: Support to define the attribution of responsibilities between cloud service providers and customers. (Tentative release date: early Q2 2021)
- Organizational Relevance: A support to define the organizational relevance of each control based on work done by the CSA Enterprise Architecture working group. (Tentative release date: early Q2 2021)
- CCM Auditing Guidelines: Guidance to support the auditing and assessment of CCM controls. (Tentative release date: early Q3 2021)
- CCM Lite: A lightweight version of CCM, including a subset of the CCM Controls which represent the CCM foundational controls, i.e., those that organizations should implement regardless. (Tentative release date: early Q4 2021)
- Translation of CCM in other languages
Beyond the above initiatives, CSA will be working over the course of 2021 to create additional mapping to relevant standards, best practices, laws and regulations (e.g., NIST 800-53 Rev 5, ENISA Security Controls for Cloud Services, CIS Controls, PCI-DSS).
The CCMv4 is a free resource and is available for download now.