Victor Chin and Lefteris Skoutaris, Research Analysts, CSA
The CSA Cloud Controls Matrix (CCM) Working Group is glad to announce the new update to the CCM v3.0.1. This minor update will incorporate the following mappings:
- Association of International Certified Professional Accountants (AICPA) Trust Services Criteria (TSC) 2017
- National Institute of Standards and Technology (NIST) 800-53 R4 Moderate
- Federal Risk Authorization and Management Program (FedRAMP) Moderate
A total of four documents will be released. The updated CCM (CCM v3.0.1-03-08-2019) will be released to replace the outdated CCM v3.0.1-12-11-2017. Additionally, three addendums will be released for AICPA TSC 2017, NIST 800-53 R4 Moderate and FedRAMP moderate, separately. The addendums will contain gap analyses and also control mappings. We hope that organizations will find these documents helpful in bridging compliance gaps between the CCM, AICPA TSC 2017, FedRAMP and NIST 800-53 R4 Moderate.
With the release of this update the CCM Working Group will be concluding all CCM v3 work and refocusing our efforts on CCM v4.
The upgrade of CCM v3 to the next version 4 has been made imperative due to the evolution of the cloud security standards, the need for more efficient auditability of the CCM controls and integration into CCM of the security requirements deriving from the new cloud technologies introduced.
In this context, a CCM task force has already been established to take on this challenge and drive CCM v4 development. The CCM v4 working group is comprised of CSA’s community volunteers comprised of industry’s leading experts in the domain of cloud computing and security. This endeavor is supported and supervised by the CCM co-chairs and strategic advisors (https://cloudsecurityalliance.org/research/working-groups/cloud-controls-matrix) who will ensure that the CCM v4 vision requirements and development plan are successfully implemented.
Some of the core objectives that drive CCM v4 development include:
- Improving the auditability of the controls
- Providing additional implementation and assessment guidance to organizations
- Improve interoperability and compatibility with other standards
- Ensuring coverage of requirements deriving from new cloud technologies (e.g., microservices, containers) and emerging technologies (e.g., IoT)
CCMv4 development works are expected to be concluded by the end of 2020. Should you be interested in knowing more, or participating and contributing to the development of CCM v4, please join the working group here: https://cloudsecurityalliance.org/research/join-working-group/.