Cloud Controls Matrix

CCMv4 Call, August 18th & 19th [Meeting Minutes]

  • 1.  CCMv4 Call, August 18th & 19th [Meeting Minutes]

    Posted Aug 20, 2021 09:12:00 AM

    Dear members,
                          please find below the joint minutes from our recent CCM WG main and workshop calls.

    Brief summary:

    • The CCMv4.0 Implementation guidelines are final and expected for release on September 14th and during the CSA Sectember event.
    • The CCMv4.0 auditing guidelines are under final review by the CCM group of auditors.
    • The CCMv4 - PCI DSS v3.2.1 mapping and gap analysis is almost complete.
    • CSA has kicked-off a NEW mapping between CCMv4 - NIST 800-53r5.


    Please find below the usual well-structured and detailed minutes section.

    Agenda Items (AIs):

    1. CCMv4.0 components development and ongoing reviews
    2. CCMv4.0 mapping & gap analysis exercises (NIST 800-53r5, PCI DSSv3.2.1)
    3. AoB


    Participants (19):
    Robin Basham
    Geoff Bird
    John Britton
    Madhav Chablani
    Angela Dogan
    Angell Duran
    David Friedenberg
    Damian Heal
    Frank Jaramillo
    Erik Johnson
    Sudhir Kamble
    Rajendra Kathal
    Bala Kaundinya
    John D. Maria
    Claus Matzke
    Johan Olivier
    Thomas Sager
    Lefteris Skoutaris (PM)
    David Sztyk

    Meeting Minutes (MMs):

    1. CCMv4.0 components development and ongoing reviews

    • The CCMv4.0 implementation guidelines are final and expected to be published during the Sectember event, on September 14th.
      • The guidelines are to be published in both 'pdf' and 'excel' based formats (in the latter case as an additional tab in the CCMv4 excel sheet),
      • Erik extended current section 1.1.4 of the document to include references to SSRM in relation to CCMv4 components,
      • Johan, Angell and Madhav finished the description on CCM domains IVS, TVM and IPY respectively.
      • Erik and Damian discussed possible improvements to the CCMv4.0 auditing guidelines with respect to the SSRM and specifically on the guidelines of STA 1-6.
      • Lefteris has invited Erik to contribute to the final review on the auditing guidelines assigned under group D.
      • Lefteris shared internally (CSA) the implementation guidelines document for proper design/formatting and preparation for its publication and working on its encoding in YAML format.
    • The CCMv4.0 auditing guidelines are under final review by the working group.
      • The CCM is split into 4 groups of domains and equal number of groups A-D of reviewers (auditors).
      • Sanjeev, Damian, Dave and Agnidipta offered to lead the review on those groups.
      • All leaders and group reviewers are active and sessions are scheduled per group to coordinate and conduct the reviews.


    2. CCMv4.0 mapping & gap analysis exercises

    • The CCMv4.0 - PCI DSSv3.2.1 mapping is almost complete
      • 16/17 domains mappings are delivered,
      • LOG domain is pending 2 comments consolidation by 1st reviewer (Thomas conducted 2nd review, waiting for Vani),
      • Lefteris conducting consistency checks and preparing the content for encoding in YAML.
    • CSA has kicked-off a new mapping activity between CCMv4.0 - NIST 800-53r5.
      • Robin has been invited by the CCM leadership team to lead on the mapping activity of CCM and NIST 800-53 and has provided guidance in that direction,
      • Robin has included two tabs in the tool 'Sample Mapping to NIST Parent Control' and 'Sample Mapping NIST Enhancement Level Control' to assist experts,
      • Experts participating in the exercise are also invited to visit the 'Mapping Guidance' tab of the tool in order to follow a consistent mapping approach with previous CSA mappings,
      • 3 CCM domains, BCR, STA and UEM are missing a 2nd reviewer (contact Lefteris if someone is interested in participating),
      • Professionals are kindly invited to visit the Status Description column (under the Progress Status tab) of the mapping tool for any pending actions on their end (AP1).


    Snapshot of 'CCMv4-PCI DSSv3.2.1' tool's progress tab


    Snapshot of 'CCMv4-NIST 800-53r5' tool's progress tab


    3. AoB

    • Please navigate to the 'Events' tab to find the call information for the upcoming CCM WG meetings.


    Action Points (APs)

    AP1: Professionals are kindly invited to visit the Status Description column (under the Progress Status tab) of the CCMv4 - NIST 800-53r5 mapping tool for any pending actions on their end (AP1).


    Please let me know if anything important is missed above or if you have any questions/comments.
    Thank you all for your being active and supporting us.
    Best regards,



    ------------------------------
    Eleftherios Skoutaris
    Program Manager
    Cloud Security Alliance
    ------------------------------