Cloud Controls Matrix

CCMv4 Development Activities Update (27/3/23)

  • 1.  CCMv4 Development Activities Update (27/3/23)

    Posted Mar 27, 2023 07:25:00 AM
    Edited by Lefteris Skoutaris Mar 28, 2023 05:30:32 AM

    Dear members,
                          please find below a quick update to recent activities of the CCM WG and additional information on which projects you may contribute.

    Brief summary:

    • CSA and CCM WG have published a CCM V4 Addendum to both Cyber Risk Institute's Profile and IBM's Cloud Framework for Financial Services.
    • CCM V4 has been updated to version 4.0.7 by including another mapping to Internet Security Forum's (ISF) Standard of Good Practice (SOGP).
    • CSA's SSRM project is currently in progress. CSA is looking for cloud security SMEs to participate in and contribute to the development of SSRM guidelines for the CCM V4.
    • CCMv4 lightweight version (currently called CCM-Lite) is placed for open peer review.
    • Mapping of CCMv4 to NIST CSF v1.1 is close to completion. Mapping of CCMv4 to PCI DSS v4 has recently kicked-off.
    • Mapping of CCM V4 to Zero Trust principles is soon to be announced.
    • CCM WG experts who have contributed to CSA CCMv4 related publications can now have their profiles displayed at the CSA website by filling out this form.
    • Help us improve the CCMv4 and its underlying components (controls, CAIQ, guidelines, metrics, mappings) by providing your input to the CCM Feedback form.

    Agenda Items (AIs):

    1. CCM V4 SSRM Guidelines Development project
    2. CCM-Lite Development project
    3. CCM V4 - NIST CSF v1.1 mapping project
    4. CCM V4 - PCI DSS v4 mapping project
    5. CCM V4 - Zero Trust Principles Mapping (soon to be announced).
    6. CSA - Singapore Cyber Security Agency Partnership
    7. AoB

    1. CCMv4 SSRM Guidelines Development project (Call for participation)

    • The Shared Security Responsibility Model (SSRM) is inherent to the use of cloud services.
    • It is essential that both cloud service customers (CSCs) and cloud service providers (CSPs) are fluent and current in understanding how they and their cloud service providers (CSPs) share the responsibility for securing their cloud footprint.
    • Cloud Security Alliance, the CCM WG and its partners are interested in extending the CCM V4 framework to include SSRM implementation guidelines for each of the 197 control specifications in the CCM in order to help cloud stakeholders delineate their security responsibilities within the shared cloud infrastructure.
    • Experts are welcome to participate in the project and contribute to the SSRM guidelines development
    Image: SSRM project's overview and timeline of underlying tasks are illustrated.

    2. CCM-Lite Development

    • 'CCM-Lite' it is based on CCM V4 and it is currently made publicly available for review here
    • Project objective is to present a lightweight CCMV4 of a minimum set of baseline foundational cloud security requirements.
    • CCM-Lite is planned to be a cost-effective solution that can be adopted by low-risk profile cloud organizations (SMEs) and allow them to implement & demonstrate "basic cloud-security hygiene".

    3. CCMv4 - NIST CSF v1.1 Mapping Project

    • CSA, the CCM WG and NIST have joint forces to collaborate on the CCM - NIST CSF mapping. 
    • The project involves both a mapping and directional gap analysis and aims to identify the requirements 'overlaps' and 'differences' between the two frameworks.
    • Gap analysis aims to identify possible gaps that NIST CSF v1.1 has when compared to CCM v4.0.
    • The mapping's results and the cloud security requirements that are identified missing in CSF v1.1 are to be leveraged by the NIST CSF team and used as useful input to CSF's migration from v1.1 to v2.0.
    • NIST and Weaver team (project leader) final review is in progress.
    • Mapping is expected to be completed by end of March and to be published early May.

    Snapshot of "progress status" tab of the mapping tool is shared below.

    4. CCMv4 - PCI DSS v4 Mapping Project (Call for Participation)

    • Mapping project has recently kicked-off and mapping is ongoing.
    • Experts are welcome to participate in the project and contribute to the Mapping (see '?' for available slots of CCM domains). 

    5. CCM V4 - Zero Trust Principles Mapping (soon to be announced).

    • Mapping project is currently in planning & preparation by the CCM WG co-chairs.

    6. CSA - Singapore Cyber Security Agency (SI-CSA) Partnership

    • CSA and Singapore's Cyber Security Agency (CSA) have established a partnership and conducted mappings between CCM V4 and SI-CSA's Cyber Trust Mark and Cyber Essentials.
    • Both mappings have been completed. Further announcements will follow.

    7. AoB

    • Please navigate to the 'Events' tab here in Circle to find the call information for the upcoming CCM WG meetings.

    Action Points (APs)
    Actions points are defined within each individual project.

    Feel free to reach out should you have any questions or comments on the above.
    Thank you all for your being active and supporting the CCMv4 development & evolution of the standard.
    Best regards,

    Eleftherios Skoutaris
    Program Manager
    Cloud Security Alliance