Dear members,
please find below the joint minutes and CCMv4 development update based on our recent CCM WG calls (week 1-5 Nov.).
Brief summary:
- The CCMv4.0 Auditing guidelines are final and expected for release on December 8th.
- CSA - IBM have established a partnership to align the cloud security frameworks (call for participation).
- CSA has published a translated version CCMv4 in 5 other languages.
- CCM WG is conducting a mapping & gap analysis between CCMv4 - NIST 800-53r5.
- CCM WG experts who have contributed to CSA publications (including CCMv4 related publications) can now have their profiles displayed on the CSA website by filling out this form.
Please find below the usual well-structured and detailed minutes section.
Agenda Items (AIs):
- CCMv4.0 auditing guidelines development
- CCMv4.0 mapping & gap analysis exercises (NIST 800-53r5)
- CSA Collaborations
- CCMv4 translations to other languages
- AoB
Participants (15):
Robin Basham
Geoff Bird
Madhav Chablani
Angell Duran
Sanjeev Gupta
Damian Heal
Onyeka Illoh
Erik Johnson
Joel John
Evans Jones
Don Maclean
Claus Matzke
David Nickles (Co-chair)
John D.Maria
Johan Olivier
Lefteris Skoutaris (PM)
Meeting Minutes (MMs):
1. CCMv4.0 auditing guidelines development
- The CCMv4 auditing guidelines are final and prepared for publication (see section 2 of current MS word document version),
- The guidelines are expected to be published on December 8th, in both pdf and excel formats (in the latter case, integrated as additional tab into the main CCM excel),
- The main body of the guidelines (section 2) is sent to a copyeditor for proper editorial evaluation, while section 1 is currently proofread from the CCM WG,
- CSA is currently encoding the CCMv4 auditing guidelines into JSON/YAML format (CCMv4 and its components are fully encoded into JSON/YAML formats).
2. CCMv4.0 mapping & gap analysis exercises
- CSA has kicked-off a mapping activity between CCMv4.0 - NIST 800-53r5,
- Robin Basham has been invited by the CCM leadership team to lead on the mapping activity of CCM and NIST 800-53 and had been providing guidance in that direction,
- Mapping activity is progressing well with 11/17 domains mapping delivered and 6 more domains pending 2nd review/final consolidation,
- Mapping is expected for delivery by end of November.
Snapshot of 'CCMv4-NIST 800-53r5' tool's progress tab
3. CSA Collaborations
- CSA and IBM have established a partnership that focuses on the alignment of their cloud control frameworks, the CCMv4 and IBM FS Cloud Framework,
- IBM has already conducted a preliminary and bi-directional mapping plus gap analysis,
- Main partnership objective is to validate the IBM mapping outcome from CSA side in 2 reviews,
- 1st review: validate CCM-IBM FS Cloud mapping outcome,
- 2nd review: validate IBM FS Cloud-CCM mapping outcome,
- CSA is interested in involving experts from the CCM WG in this mapping review exercise (prerequisites are good experience in the implementation/assessment of the CCMv4 and its control specifications, as well as previous experience with CCMv3/v4 mapping exercises).
- The mapping review exercise has not kicked-off yet.
4. CCMv4 translations to other languages
- CCM is currently translated to 5 languages: Chinese, Hungarian, Japanese, Spanish, Turkish,
- Translations were developed in collaboration with the homonymous chapters,
- CSA welcomes additional offers from the WG to have the CCMv4 translated to additional languages .
5. AoB
- Please navigate to the 'Events' tab here in Circle to find the call information for the upcoming CCM WG meetings.
Action Points (APs)
No action points defined.
Please let me know if you have any questions/comments.
Thank you all for your being active and supporting the CCMv4 development.
Best regards,
------------------------------
Eleftherios Skoutaris
Program Manager
Cloud Security Alliance
------------------------------