Date: Thursday, June 05, 2025
Attendees
|
Name
|
Organization
|
Name
|
Organization
|
|
Andy Ruth
|
CSA
|
Daniele Catteddu
|
CSA
|
|
Dominic Vleming
|
CSA
|
John DiMaria
|
CSA
|
|
Kasia Chamberski
|
CSA
|
Larry Hughes
|
CSA
|
|
Troy Leach
|
CSA
|
Adam Shnider
|
Coalfire
|
|
Christian Baer
|
Schellman
|
Gagan Singh
|
Salesforce
|
|
James Huang
|
Salesforce
|
Maggie Ayers
|
Salesforce
|
|
Marc Rubbinaccio
|
Secureframe
|
Matteo Lucantonio
|
Deloitte
|
|
Melissa Yu
|
Google
|
Subra (P.A. Subrahmanyam)
|
Stanford/CyberKnowledge
|
|
Thomas Volpe
|
RegScale
|
|
|
Agenda
· Welcome
· Goals and Timelines – Short Term
· Next Steps
· CAR Pilot – FedRAMP20x
· Any Other Business (AOB)
Meeting Summary
The meeting commenced with a welcome and introductions, Andy stated now that the CAR initiative is announce, we will launch the working groups, whose charters were unanimously approved. As we launch into the formal process, the working groups will follow a more formal process for running meetings, including the election of co-chairs. Attendees opted for bi-weekly meetings to accommodate availability, and discussions on working group structures and responsibilities were held, emphasizing the nomination of leaders. The first meeting of the Controls Catalog working group will occur on June 9th, and the first meeting of the Regulatory working group will occur on June 18th. The CAR FedRAMP Phase 1 initiative was introduced as a testing ground for the CAR pilot approval concept, involving collaboration among various entities. One topic was the update to the KSIs that the FedRAMP 20x Phase 1 is using, and the removal of the mapping to NIST 800-53. Challenges in mapping Continuous Control Monitoring to updated FedRAMP Key Security Indicators were identified, necessitating revisions to align with new requirements. The meeting concluded with plans for compliance mapping within the SecureFrame platform, and Andy mentioned that we must maintain a focus on collaboration while protecting individual interests.
Action Items
Members email Andy (aruth@cloudsecurityalliance.org) to indicate which working group(s) they want to participate in and if they are interested in serving as a chair or co-chair for a working group.
Detailed Discussion
Meeting Logistics and Recording
The team discussed the confidentiality of the meeting and decided to limit the recording to only the designated note-takers, emphasizing the importance of keeping the information proprietary.
Meeting Introduction and Goals Overview
Andy Ruth outlined the next steps for the meeting, which include discussing goals and timelines for the short term, as well as the transition to a more formal process with the election of co-chairs. This indicates a clear direction for the team moving forward.
Announcement of CAR and Working Groups
The working group charters were approved unanimously, establishing the rules of engagement for the groups. This decision is crucial for setting the framework for future collaboration.
The meetings for working group two are scheduled for next week on the 9th, and for working group one on the 18th. Participants are encouraged to confirm their attendance and express their group preferences.
Meeting Frequency Discussion
The team decided to maintain bi-weekly meetings after discussing the pros and cons of weekly meetings. Andy Ruth initiated the discussion, and the majority of participants expressed a preference for bi-weekly sessions, citing availability as a key factor.
Working Group Structure and Responsibilities
The team will revise the scope of initial deliverables in the upcoming meeting and establish a timeline for publication. Members are encouraged to choose their preferred working group and communicate their choices to Andy.
It was decided that chairs and co-chairs for the working groups will be nominated and elected in the upcoming meetings, with a focus on selecting individuals who are subject matter experts.
The meeting encouraged active participation, with members being prompted to express their interest in leadership roles within the working groups.
Meeting Structure and Working Groups
The team is set to kick off working groups one and two in the next two weeks, focusing on regulatory compliance and controls catalog. Andy Ruth emphasized the importance of team members emailing him their preferred working group assignments, which will be documented as an action item in the meeting minutes.
Analysis of Legal Regulatory Industry Requirements
The team will begin by establishing best practices and aims to create a unified vendor-agnostic reference for controls. This will be prioritized as the first task to complete, followed by extending guidance for a shared responsibility model based on existing frameworks.
Working Group Structure and Leadership
It was decided that the team would nominate leaders for the working groups, with the possibility of splitting responsibilities for different aspects of the project, such as analyzing legal requirements and control principles.
FedRAMP Phase 1 Initiative and CAR Pilot Approval Concept
The team decided to utilize the FedRAMP Phase 1 initiative as a testing ground for the CAR pilot approval concept, which involves collaboration between an automation company, an auditing company, and a customer. This decision aims to validate the automated mechanism's effectiveness in satisfying automation requirements.
Control Definitions and Continuous Monitoring
The team decided to pursue a FedRAMP pilot to validate the control definitions and continuous monitoring processes, which will provide insights for the CAR initiative. This decision was made to enhance the mapping of controls and requirements, and to explore collaboration with other certification bodies like DORA.
Pilot Project Collaboration
The team decided to involve multiple entities, including customer service and GRC automation providers like WANTA and Anecdotes, in the pilot project. This decision aims to enhance collaboration and ensure comprehensive validation of the automation packages submitted.
The next steps include ensuring that Christian Baer is fully informed about the CSA Invent pilots and making necessary connections to provide him with visibility over the overall project picture.
Mapping CCM to FedRAMP KSI
The team is facing challenges due to recent changes in the KSI, which have resulted in the removal of some indicators and the need to revise the initial mapping work that was already completed. This impacts the project timeline as adjustments are necessary to align with the new requirements.
The next steps involve revising the mapping of the CCM to the updated KSI requirements and building automation packages for verification processes, which will engage auditors in the workflow.
Collaboration and Compliance Mapping
The team discussed the next steps involving the mapping of common controls within the Secure Frame platform and the intention to present this work in an upcoming workshop. This indicates a collaborative effort to enhance compliance processes.
A decision was made to focus on collaboration while protecting individual products and intellectual property, aiming to reduce compliance friction. This reflects a strategic approach to balancing community efforts with individual business interests.
------------------------------
AndyRuth
Cloud Security Alliance
[email protected]
------------------------------