By the CSA Research Team
Today at the Cloud Security Alliance Federal Summit being held in Washington, DC, the CSA today announced the release of the Candidate Mapping V4 of the FedRAMP security controls to version 3.0.1 of the CSA Cloud Controls Matrix (CCM).
The FedRAMP controls are based on the National Institute of Standards and Technology (NIST) Special Publication 800-53r4 which defines 17 families of Security and Privacy Controls to be used by Federal agencies. The CSA CCM provides a control framework that is aligned to the Cloud Security Alliance guidance in 13 security domains and builds on the foundations of other industry-accepted security standards, regulations and controls frameworks such as the ISO 27001/27002, ISACA COBIT, PCI, Jericho Forum, NERC CIP as well as NIST.
“In closely mapping the two security controls, Federal agencies can now better assess a cloud provider’s security controls and also address what controls need to be in place to ensure the provider is compliant with FedRAMP standards,” said Jim Reavis, CEO of the CSA. “The mapping will also help reduce the burden of getting the assessments and certifications for cloud vendors wanting to serve the Federal agencies.”
The Candidate Mapping shows that 90% of the FedRAMP controls correlate to the controls defined in the CCM. The documentation of this alignment will support a variety of constituents in the Federal cloud marketplace:
- Cloud Service Providers (CSPs) will be provided with guidance on how their security frameworks can be developed and documented to address the requirements of multiple assessment standards, reducing the level of effort associated with obtaining multiple security certifications;
- Assessors and auditors will be able to use the alignment to leverage documentation and artifacts to enable them to assess CSP security postures across multiple standards in an efficient manner
- Federal agencies will be able to evaluate CSPs who have been assessed and certified against the CCM under the CSA Security Trust and Assurance Registry (STAR) program in order to determine the likelihood of a CSP to qualify for FedRAMP certification
- The FedRAMP Program will be able to leverage the various industry standards that are integrated into the CCM framework to further the alignment of FedRAMP controls with other industry standards.
CSA will continue to collaborate with the FedRAMP Program Office to determine the best ways to leverage the Candidate Mapping to support the goals and objectives of the FedRAMP program to improve the security of cloud services utilized by Federal government agencies.
To access the mapping visit https://cloudsecurityalliance.org/download/fedramp-cloud-controls-matrix-v3-0-1-candidate-mapping/