Thank you all for the valuable inputs.
All suggestions made are taken into account by the CCM WG and co-chairs, and in fact most of the frameworks mentioned are already in our queue list for development (however not all planned for 2023).
Future announcements on the next CCM V4 mapping projects will take place at the CCM WG channel.
Please stay tuned.
------------------------------
Eleftherios Skoutaris
Program Manager
Cloud Security Alliance
------------------------------
Original Message:
Sent: May 22, 2023 05:17:16 AM
From: Derek Price
Subject: To what other standard/framework CCM V4 should be mapped to?
I could be a benefit to see a mapping to 800-171/CMMCv2. While the lift for FedRAMP is high, any business that contracts with Fed.gov will need at least a CMMC self certify.
------------------------------
Derek Price
Information Security Analyst
DataBank IMX
Original Message:
Sent: May 19, 2023 06:02:37 AM
From: Eleftherios Skoutaris
Subject: To what other standard/framework CCM V4 should be mapped to?
Dear members,
Mappings are a useful tool for cloud organizations to identify the equivalent (overlapping) security requirements between CCM V4 and a target framework, and more importantly the missing cloud-specific CCM security requirements (deltas), especially when cloud organizations are seeking to integrating these missing requirements within their cloud security and compliance programs.
The CCM V4 is currently mapped with the following frameworks:
- AICPA TSC (2017)
- CCM v3.0.1
- CIS v8.0
- ISF SOGP 2022
- ISO/IEC 27001 (2013, 2022)
- ISO/IEC 27002 (2013, 2022)
- ISO/IEC 27017 (2015)
- ISO/IEC 27018 (2019)
- NIST 800-53r5
- PCI DSS v3.2.1
Mapping to NIST CSF v1.1 is completed and soon is to be published.
Mapping to PCI DSS V4 is in progress.
What are other frameworks the CCM WG should prioritize to map CCM V4 with, and more importantly, why?
------------------------------
Eleftherios Skoutaris
Program Manager
Cloud Security Alliance
------------------------------