Cloud Controls Matrix

CCM WG Activities Update (April/2024)

  • 1.  CCM WG Activities Update (April/2024)

    Posted Apr 09, 2024 03:18:00 AM

    Dear members,
                          please find below a quick update to recent activities of the CCM WG and additional information on which projects you may contribute.

    Brief summary:

    • The CCM Implementation Guidelines Version 2 (SSRM) are now final and expected publication is scheduled on June 6th during CSA's Cloud Trust Summit.
    • Ongoing mappings involve the following standards/frameworks: NIST CSF v2.0, ENX ISAv6.0, ZTA CISA MM.
    • CCM WG experts who have contributed to CSA CCMv4 related publications can now have their profiles displayed at the CSA website by filling out this form.
    • Help us improve the CCMv4 and its underlying components (controls, CAIQ, guidelines, metrics, mappings) by providing your input to the CCM Feedback form.

    Agenda Items (AIs):

    1. CCM V4 SSRM Implementation Guidelines Development
    2. CCM V4 - CSF v2.0 Mapping
    3. CCM V4 - Zero Trust Architecture Mapping
    4. CCMv4 – ENX ISAv6 frameworks alignment
    5. ECUC Mapping & Gap analysis Review
    6. Completed projects
    7. AoB

    1. CCM V4 SSRM Implementation Guidelines Development (In Progress)
    The CCM WG has delivered a final version of the guidelines that are set for publication during CSA's cloud trust summit, June 6th.
    A keynote presentation is to take place during the summit with title: CCM V4.0 Implementation Guidelines:  Securing the Cloud with the Shared Security Responsibility Model (Version 2.0).
    Next steps involve setting up a Go-to-Market strategy for promoting the project and raising awareness.

    2. CCM V4 - CSF v2.0 Mapping (Completed)
    • The CCM v4 was mapped to the latest NIST CSF v2.0 and is now delivered. Publication is expected on May 8th, during RSAC.
    • Mapping was conducted by the CCM WG and was reviewed and refined by NIST.
    • Next steps involve submitting the mapping to NIST CSF OLIR and developing a CSFv2 Cloud community profile.

    3. CCM V4 - Zero Trust Architecture Mapping (In Progress - Call for Experts)
    Please join our next CCM WG call to discuss next steps to the CCM-ZTA mapping (target framework is the CISA ZTA Maturity Model).
    A first mapping has already taken place by a CSA partner, and the CCM WG will conduct a final review to finalize the work.
    SMEs will be invited to onboard the activity and review the mapping.

    4. CCMv4 – ENX.VDA.ISA6 frameworks alignment (In Progress - Call for Experts)
    CSA has established a partnership with ENX is to de-risk cloud environments in the automotive sector and ensure that vendors/organizations in the automative industry enrich their cloud security baselines through strategic collaboration in developing and validating cloud security controls.

    The partnership with ENX entails a joint a mapping and gap analysis activity between the CSA's CCM V4.0 and ENX's ISA v6 standards. In this way, an opportunity is provided to organizations in the automotive industry to identify the overlapping security requirements between the two frameworks, and more importantly the missing cloud-specific CCM security requirements (deltas) in ISA, hence more efficiently streamlining cloud security controls integration within their cloud security and compliance programs.

    5. ECUC Mapping & Gap analysis Review (Completed)
    The collaboration between CSA and ECUC aimed towards the development of a CCM Financial Service Addendum to offer Financial Institutions and CSPs a framework to:
    • Enable the financial sector to securely adopt cloud services.
    • Limit the challenge of compliance fatigue for both CSPs and Financial Institutions against various EU regulations, data protection standards.
    A joint mapping activity between ECUC teams and the CCM WG was conducted for the alignment of CCM V4 and ECUC requirements as appear in the ECUC position paper. A CCM V4 Addendum to the ECUC PP2.1 was also released (here).

    6. Completed projects
    CCMv4.0 Addendum to ECUC PPv2.1 
    CCMv4.0 - CSF v2.0 Mapping

    7. AoB
    • Please navigate to the 'Events' tab here in Circle to find the call information for the upcoming CCM WG meetings.

    Action Points (APs)
    Actions points are defined within each individual project.

    Feel free to reach out should you have any questions or comments on the above.
    Thank you all for your being active and supporting the CCM WG projects and CCM v4 evolution.
    Best regards,



    ------------------------------
    [Lefteris] [Skoutaris]
    [Cloud Controls Matrix, Program Manager]
    [Cloud Security Alliance]
    ------------------------------