CCM v3.0.1. Update for AICPA, NIST and FedRAMP Mappings

Victor Chin and Lefteris Skoutaris, Research Analysts, CSA

The CSA Cloud Controls Matrix (CCM) Working Group is glad to announce the new update to the CCM v3.0.1. This minor update will incorporate the following mappings:

A total of four documents will be released. The updated CCM (CCM v3.0.1-03-08-2019) will be released to replace the outdated CCM v3.0.1-12-11-2017. Additionally, three addendums will be released for AICPA TSC 2017, NIST 800-53 R4 Moderate and FedRAMP moderate, separately. The addendums will contain gap analyses and also control mappings. We hope that organizations will find these documents helpful in bridging compliance gaps between the CCM, AICPA TSC 2017, FedRAMP and NIST 800-53 R4 Moderate.

With the release of this update the CCM Working Group will be concluding all CCM v3 work and refocusing our efforts on CCM v4.

The upgrade of CCM v3 to the next version 4 has been made imperative due to the evolution of the cloud security standards, the need for more efficient auditability of the CCM controls and integration into CCM of the security requirements deriving from the new cloud technologies introduced.

In this context, a CCM task force has already been established to take on this challenge and drive CCM v4 development. The CCM v4 working group is comprised of CSA’s community volunteers comprised of industry’s leading experts in the domain of cloud computing and security. This endeavor is supported and supervised by the CCM co-chairs and strategic advisors (https://cloudsecurityalliance.org/research/working-groups/cloud-controls-matrix) who will ensure that the CCM v4 vision requirements and development plan are successfully implemented.

Some of the core objectives that drive CCM v4 development include:

  • Improving the auditability of the controls
  • Providing additional implementation and assessment guidance to organizations
  • Improve interoperability and compatibility with other standards
  • Ensuring coverage of requirements deriving from new cloud technologies (e.g., microservices, containers) and emerging technologies (e.g., IoT)

CCMv4 development works are expected to be concluded by the end of 2020. Should you be interested in knowing more, or participating and contributing to the development of CCM v4, please join the working group here: https://cloudsecurityalliance.org/research/join-working-group/.

FedSTAR Pilot Program Status

As the use of cloud technology has become more widespread, the concern about cloud security has increased. Government agencies and private sector users are concerned with protecting data and ensuring service availability.  Many countries and private entities have designed and implemented security programs to increase the level of assurance and trust of cloud services. As a result, multiple certifications and accreditation programs were created.  As of 2019, over 40 different security certification systems have been developed and implemented worldwide, including the CSA STAR program.

On the one hand, the introduction of certification and accreditation systems has simplified the creation of trusted relationships between Cloud Services Providers (CSPs) and customers and consequently streamlined the procurement processes. On the other hand, the proliferation of certification schemas has the side effect of generating compliance fatigue. This issue is having a significant impact on the resources that cloud services must apply to security. Many CSPs have dedicated staff for ensuring compliance with multiple security certifications governing their services. In addition to being a resources drain on existing CSPs, the need to comply with multiple security certifications is a major obstacle to market entry for new CSPs.  

About 18 months ago, CSA began working with the FedRAMP program office at the U.S. General Services Administration on the idea of FedSTAR, a program to facilitate the recognition between FedRAMP and STAR programs.  The FedSTAR project is part of a larger CSA initiative aimed at evolving STAR to a global framework for multiparty recognition of national, international, and sector-specific certification.

There is an equivalent program to FedSTAR in Europe with the EU-SEC project.  CSA introduced the idea of multiparty recognition to the stakeholder community, and there has been a lot of interest from both the government and private sectors. 

Both FedSTAR and EU-SEC projects have four primary goals:

  • Build a foundation for mutual recognition between national, international and sector-specific security certification, attestations and accreditations
  • Grant a trusted certification that is recognized by CSPs and customers
  • Reduce the compliance cost for CSPs that want to meet the requirements of both industry and government
  • Support requirements for continuous monitoring

The solution to this global problem is not to establish a new security certification system with different processes, evidence of compliance, and source controls. Rather, FedSTAR aims to develop a process that supports mutual recognition between the U.S. Federal government FedRAMP and CSA STAR. The solution is based on the fact that both FedRAMP and CSA STAR are grounded in sanctioned, widely-used sets of controls as the source of security compliance. 

 The goal of FedSTAR is that once a company has achieved either STAR Certification or FedRAMP authorization to operate, that company can obtain the other certification only by auditing the delta of controls that defines the gaps between the requirements of FedRAMP Moderate and Cloud Control Matrix (CCM). In support of this, the FedSTAR auditing team would be required to have both the STAR Certification Lead Auditor and 3PAO professional accreditations.

While STAR Certification and FedRAMP are not compatible as deployed, they have basic elements in common including the level of maturity of each program, the requirement for independent 3rd party assessors and the use of control-based reviews.

Our working assumption, based on initial research, is that the mutual recognition between the two systems would be easy to establish because of the overlap between the FedRAMP Moderate and CSA CCM certifications. 

These factors led to our decision to codify processes and measure the level of effort required for a CSP to go from FedRAMP moderate certification to CSA STAR certification. 

Where are we now? 

  • We have developed a gap analysis between CSA STAR and FedRAMP moderate
  • We have established a set of measures designed to quantify the time, staff and other resources needed to obtain a CSA STAR certification after receiving a FedRAMP moderate authorization to operate
  • We have identified one CSP who has agreed to include a CSA STAR certification assessment in its annual review for FedRAMP compliance; this effort will begin in late summer 2019. This will be our first pilot. 

Measures of Success

CSA has the working assumption that it will require a minimal level of effort to receive a CSA STAR certification starting from a FedRAMP Moderate ATO. However, this hypothesis must be validated. Therefore, working with members of the Third Party Independent Assessor community, we have established a set of measures that pilot participants have agreed to collect. These measures include both qualitative and quantitative criteria.

1) Readiness/Preparation time – Quantitative measure to understand the effort required by the auditee to prepare for a STAR Certification audit starting from a position of FedRAMP Moderate compliance – expressed in the number of man-days

2) Audit time – Quantitative measure of the time required to get the STAR certification? Specifically what effort is needed for documentation preparation and 3PAO assessment

3) Accuracy of the mapping and gap analysis – CSA has provided a “CCM-FedRAMP Mapping and Gap Analysis” to support this effort. We are asking for comments on the usefulness of the Map and the effectiveness of the “compensating controls” suggested by CSA

4) Re-use of audit evidences – Identification of those documents and evidences created during a FedRAMP audit that can be applied to the requirements of CCM V3.0.1

5) Skill Base – What are the skills required to complete a FedRAMP to CSA STAR audit?  Were there additional skills that the CSP need to provide to complete the STAR Certification? 

6)  The pilot will also collect information on the tools provided to facilitate pilot execution. 

Next Steps

Now is a critical time for the FedSTAR project. We have done the appropriate planning and infrastructure development. Our briefings on the program – done in conjunction with FedRAMP – have generated interest in the cloud community. The time is right to execute the pilots and analyze the results. One pilot program will begin in late Summer 2019. 

  • Need additional CSPs to sign-up to participate in the program
  • Need to establish a Focus Group to review pilot results and guide the program