Cloud Controls Matrix

Back to discussions
Expand all | Collapse all

CCMv4 Development Activities Update (July 4th, 2023)

  • 1.  CCMv4 Development Activities Update (July 4th, 2023)

    Posted Jul 04, 2023 03:28:00 AM
    Edited by Lefteris Skoutaris Jul 19, 2023 07:39:34 AM

    Dear members,
                          please find below a quick update to recent activities of the CCM WG and additional information on which projects you may contribute.

    Brief summary:

    • CSA and CCM WG have published a CCM V4 Addendum to both Cyber Risk Institute's Profile and IBM's Cloud Framework for Financial Services.
    • CCM V4 has been updated to version 4.0.8 by including another mapping to NIST CSF v1.1.
    • CCM V4 SSRM Guidelines Development project is in progress. A first draft of the SSRM guidelines is delivered and currently under review.
    • CCMv4 lightweight version (currently called CCM-Lite) targeting SMEs/Startups is final and soon to be released. A CAIQ-Lite will be released as well.
    • Mapping of CCMv4 to PCI DSS v4 is soon to be completed by mid-August. Release is expected by mid-September.
    • Mapping of CCM V4 to Zero Trust principles has started.
    • CCM WG experts who have contributed to CSA CCMv4 related publications can now have their profiles displayed at the CSA website by filling out this form.
    • Help us improve the CCMv4 and its underlying components (controls, CAIQ, guidelines, metrics, mappings) by providing your input to the CCM Feedback form.

    Agenda Items (AIs):

    1. CCM V4 SSRM Guidelines Development project
    2. CCM-Lite Development project
    3. CCM V4 - NIST CSF v1.1 mapping project
    4. CCM V4 - PCI DSS v4 mapping project
    5. CCM V4 - Zero Trust Principles Mapping
    6. AoB

    1. CCMv4 SSRM Guidelines Development project (Call for participation)

    • The CCM V4 SSRM Guidelines development project aims to develop control ownership and implementation guidelines for the CCM V4 controls that pertain to the Shared Security Responsibility Model (SSRM). 
    • The CCM WG has delivered a FIRST DRAFT of the CCM V4 SSRM Guidelines currently placed under review.
    • A final draft version is expected to be delivered by end of August.
    Image: SSRM project's overview and timeline of underlying tasks are illustrated.
     

    2. CCM-Lite Development

    • Project objective is to present a lightweight CCMV4 of a minimum set of baseline foundational cloud security requirements.
    • CCM-Lite is planned to be a cost-effective solution that can be adopted by low-risk profile cloud organizations (SMEs) and allow them to implement & demonstrate "basic cloud-security hygiene".
    • A CCM-Lite Final version (+ CAIQ-Lite) is delivered by the CCM WG.
    • Please stay tuned for the official announcement and release by CSA in the next few weeks.

    3. CCMv4 - NIST CSF v1.1 Mapping Project

    • The mapping has been delivered and it is announced with the release of CCM V4.0.8.

    4. CCMv4 - PCI DSS v4 Mapping Project 

    • The mapping is delivered by the CCM WG and it is currently under review by the project's team leaders.
    • Mapping can be accessed here.

    5. CCM V4 - Zero Trust Principles Mapping.

    • The project has started. Regular, weekly sessions take place every Thursday (see 'Events' tab for info to join the call).

    Mapping Objectives are the following:

    • Identify what CCM Controls are relevant to support the Governance, Implementation and Operation of a ZT Architecture for use across cloud computing. 

    • Identify potential gaps and areas of misalignment between CCM V4 and ZT architecture and best practices, and provide input and recommendations to the CCM WG for the

      • Update of the CCM (improving existing controls and/or adding new ones)

      • Create ZT Implementation guidance for the CCM V4

    6. AoB

    • Please navigate to the 'Events' tab here in Circle to find the call information for the upcoming CCM WG meetings.


    Action Points (APs)
    Actions points are defined within each individual project.

    Feel free to reach out should you have any questions or comments on the above.
    Thank you all for your being active and supporting the CCMv4 development & evolution of the standard.
    Best regards,



    ------------------------------
    Eleftherios Skoutaris
    Program Manager
    Cloud Security Alliance
    ------------------------------