Cloud Security Alliance Releases Candidate Mapping of FedRAMP Security Controls

By the CSA Research Team

Today at the Cloud Security Alliance Federal Summit being held in Washington, DC, the CSA today announced the release of the Candidate Mapping V4 of the FedRAMP security controls to version 3.0.1 of the CSA Cloud Controls Matrix (CCM).

The FedRAMP controls are based on the National Institute of Standards and Technology (NIST) Special Publication 800-53r4 which defines 17 families of Security and Privacy Controls to be used by Federal agencies. The CSA CCM provides a control framework that is aligned to the Cloud Security Alliance guidance in 13 security domains and builds on the foundations of other industry-accepted security standards, regulations and controls frameworks such as the ISO 27001/27002, ISACA COBIT, PCI, Jericho Forum, NERC CIP as well as NIST.

“In closely mapping the two security controls, Federal agencies can now better assess a cloud provider’s security controls and also address what controls need to be in place to ensure the provider is compliant with FedRAMP standards,” said Jim Reavis, CEO of the CSA. “The mapping will also help reduce the burden of getting the assessments and certifications for cloud vendors wanting to serve the Federal agencies.”

The Candidate Mapping shows that 90% of the FedRAMP controls correlate to the controls defined in the CCM. The documentation of this alignment will support a variety of constituents in the Federal cloud marketplace:

  • Cloud Service Providers (CSPs) will be provided with guidance on how their security frameworks can be developed and documented to address the requirements of multiple assessment standards, reducing the level of effort associated with obtaining multiple security certifications;
  • Assessors and auditors will be able to use the alignment to leverage documentation and artifacts to enable them to assess CSP security postures across multiple standards in an efficient manner
  • Federal agencies will be able to evaluate CSPs who have been assessed and certified against the CCM under the CSA Security Trust and Assurance Registry (STAR) program in order to determine the likelihood of a CSP to qualify for FedRAMP certification
  • The FedRAMP Program will be able to leverage the various industry standards that are integrated into the CCM framework to further the alignment of FedRAMP controls with other industry standards.

CSA will continue to collaborate with the FedRAMP Program Office to determine the best ways to leverage the Candidate Mapping to support the goals and objectives of the FedRAMP program to improve the security of cloud services utilized by Federal government agencies.

To access the mapping visit https://cloudsecurityalliance.org/download/fedramp-cloud-controls-matrix-v3-0-1-candidate-mapping/

2 thoughts on “Cloud Security Alliance Releases Candidate Mapping of FedRAMP Security Controls

  1. This is a very useful resource in helping us map CSP services to FedRAMP compliance. CSPs have many services which are not yet officially FedRAMP compliant but have already attained ISO 27001 compliance. So, for us to assess the security of those services, this map goes along way in helping. However, it would be nice if the mapping was 1 to 1. It shows the more generic CSA control ID and which controls it maps to in FedRAMP and which controls it maps to in ISO 27001, but that is not transitive such that one can “prove” that ever single ISO control maps to a FedRAMP control and vice versa.

Leave a Reply

The name and email fields are solely used to comment on posts. Cloud Security Alliance does no further processing of this data. See Section 3 of the CSA Privacy Policy for details.



Share this content on your favorite Social Network.