Cloud Controls Matrix

Back to discussions
Expand all | Collapse all

CCMv4 Development Activities Update (October, 2023)

  • 1.  CCMv4 Development Activities Update (October, 2023)

    Posted Oct 11, 2023 10:10:00 AM

    Dear members,
                          please find below a quick update to recent activities of the CCM WG and additional information on which projects you may contribute.

    Brief summary:

    • CCM V4 SSRM Guidelines Development project is in progress. A first draft of the SSRM guidelines is delivered and currently under review.
    • CCMv4 lightweight version (called CCMV4-Lite) targeting SMEs/Startups is final and released (a CAIQV4-Lite is also released).
    • Mapping of CCM V4 to Zero Trust principles is in progress.
    • Mapping of CCMv4 to PCI DSS v4 was recently published.
    • CSA and CCM WG have published a CCM V4 Addendum to both Cyber Risk Institute's Profile and IBM's Cloud Framework for Financial Services. A collaboration between CSA and ECUC of financial institutions has also been established and works are in progress.
    • Additional projects are currently planned (see 4,5 and 6 below).
    • CCM WG experts who have contributed to CSA CCMv4 related publications can now have their profiles displayed at the CSA website by filling out this form.
    • Help us improve the CCMv4 and its underlying components (controls, CAIQ, guidelines, metrics, mappings) by providing your input to the CCM Feedback form.

    Agenda Items (AIs):

    1. CCM V4 SSRM Implementation Guidelines project
    2. CCM V4 - Zero Trust Architecture Mapping
    3. OpenCRE-CSA Collaboration (CCM Integration & Webinar)
    4. ECUC Mapping & Gap analysis Review
    5. CCM - Mitre Att&ck Framework mapping
    6. CCMv4 – ENX.VDA.ISA6 frameworks alignment (automotive industry standard)
    7. Completed projects
    8. AoB

    1. CCMv4 SSRM Guidelines Development project

    • The CCM V4 SSRM Guidelines development project aims to develop control ownership and implementation guidelines for the CCM V4 controls that pertain to the Shared Security Responsibility Model (SSRM). 
    • Objective of the final deliverable is to aid both CSPs and CSCs better understand what are their security responsibilities in the cloud for implementing the 197 controls current in CCM V4.
    • The CCM WG has delivered a FIRST DRAFT of the CCM V4 SSRM Guidelines, which is currently placed under review.
    • A final draft version is expected to be delivered by end of October.
    • To join the SSRM project calls, navigate to 'Events' tab and look for the relevant call info.

    2. CCM V4 - Zero Trust Architecture Mapping

    • Project work is ongoing.
    • Project objectives are:
      • Identify potential gaps and areas of misalignment between CCM V4 and ZT architecture, strategy and best practices, and provide input and recommendations to the CCM WG for the
        • Update of the CCM (improving existing controls and/or adding new ones)
        • Creation of ZT Implementation guidance for the CCM

      • To identify what CCM Controls are relevant to support the Governance, Implementation and Operation of a ZT Architecture for use across cloud computing.

    • To join the CCM-ZT project calls, navigate to 'Events' tab and look for "CCMv4 Workshop Sessions" call info.

    3. OpenCRE-CSA Collaboration (CCM Integration & Webinar)

    • OpenCRE is an Interactive content linking platform for uniting security standards and guidelines.
    • It introduces the so called Common Requirements Enumeration (CRE) which are linked to controls/domains of other security standards as a means to aid organizations streamline proper implementation of security and compliance.
    • OpenCRE leverages CCM V4 as a use case for the latter's integration into the interactive platform.
    • In context of collaboration between the OpenCRE team and CSA and for raising awareness on the importance of this work, a webinar is planned for release on October 23rd.

    4. ECUC Mapping & Gap analysis Review (Call for participation)

    • ECUC is a coalition of financial institutions that have established requirements for the financial sector and have been standardizing their approach to conduct assessments on CSPs based on CCMV4 (and CAIQv4). Their requirements as appear in their so called Position Paper v2.1 have been validated by National Regulators.
    • The collaboration between CSA and ECUC aims towards the development of a CCM Financial Service Addendum to offer Financial Institutions and CSPs a framework to:
      • Enable the financial sector to securely adopt cloud services.
      • Limit the challenge of compliance fatigue for both CSPs and Financial Institutions against various EU regulations, data protection standards.
    • A joint mapping activity between ECUC teams and the CCM WG is currently carried out for the alignment of CCM V4 and ECUC requirements as appear in the ECUC position paper.
    • Experts that are familiar with the CCM V4 and the CCM WG mapping methodology are invited to join this mapping project.
    • To join the CCM-ECUC mapping project calls, navigate to 'Events' tab and look for "CCM WG Call" info.

    5. CCM - Mitre Att&ck Framework mapping (In planning)

    • The CCM WG is interested to kick-off a mapping project between CCM V4 and the Mitre Att&ack framework.
    • Objective is to map CCM controls to Mitre attach techniques as a means to aid cloud organizations adopt CCM V4 controls to safeguard the CIA of their data against these attacks.
    • This project is currently at a planning phase. Interested SMEs are invited to state their participation interest to this project.
    • This project hasn't started yet (there is no call scheduled).

    6. CCMv4 – Automotive Industry Standard Mapping (In planning)

    • CSA is interested in a collaboration with the ENX association and the automotive industry.
    • Objective of the project is to offer to vendors in the automotive industry a framework to guide them toward a secure adoption of cloud services and to limit the challenge of compliance fatigue for certification to relevant standards in the automotive industry and cloud.
    • Possible next step to this collaboration is a joint mapping activity between the two organizations and the corresponding standards, namely, the CCM V4 and VDA ISA v6. 
    • This project is currently at a planning phase. Interested SMEs are invited to state their participation interest to this project.
    • This project hasn't started yet (there is no call scheduled).

    7. Completed projects

    • CCM-Lite and CAIQ-Lite comprising of a lightweight version of CCM V4 targeting SMB are final and released.
    • CCMv4 - NIST CSF v1.1 Mapping is completed and made available with the release of CCM V4.0.8.
    • CCMv4 - PCI DSS v4 Mapping is completed and also made available with CCM V4.0.10.

    8. AoB

    • Please navigate to the 'Events' tab here in Circle to find the call information for the upcoming CCM WG meetings.


    Action Points (APs)
    Actions points are defined within each individual project.

    Feel free to reach out should you have any questions or comments on the above.
    Thank you all for your being active and supporting the CCM WG projects and CCM v4 development & evolution.
    Best regards,



    ------------------------------
    Lefteris Skoutaris
    ------------------------------