Cloud Controls Matrix

CCMv4 Development Activities Update (1/2/23)

  • 1.  CCMv4 Development Activities Update (1/2/23)

    Posted Jan 30, 2023 06:17:00 AM
    Dear members,
                          please find below a quick update to recent activities of the CCM WG and additional information on which projects you may contribute.

    Brief summary:
    • CSA has kicked-off another great project that aims to developing implementation guidelines that pertain to the Cloud Shared Security Responsibility Model (SSRM) for all 197 controls currently in CCMv4.0. Experts who wish to participate in the project and contribute to the development of the SSRM guidelines are kindly invited to contact me.
    • CCMv4 lightweight version (currently called CCM-Lite) is also currently under development and reviewed by the CCM WG leadership team. 
    • Mapping of CCMv4 to NIST CSF v1.1 is in good progress. Another mapping of CCMv4 to PCI DSS v4 is about to kick-off later this month.
    • CCM WG experts who have contributed to CSA CCMv4 related publications can now have their profiles displayed at the CSA website by filling out this form.
    • Help us improve the CCMv4 and its underlying components (controls, CAIQ, guidelines, metrics, mappings) by providing your input to the CCM Feedback form.

    Agenda Items (AIs):

    1. CCMv4 SSRM Guidelines Development project
    2. CCM-Lite Development project
    3. CCMv4 - NIST CSF v1.1 mapping project
    4. CSA - Singapore Cyber Security Agency Partnership
    5. CCMv4 - PCI DSS v4 mapping project
    6. CSA Chapter mappings
    7. AoB

    1. CCMv4 SSRM Guidelines Development project (Call for participation)

    • Project's goal is to develop implementation guidelines for the 197 controls in the Cloud Controls Matrix V4 that pertain to the Shared Security Responsibility Model (SSRM)
    • Primary objective is educate cloud customers how they and their service providers share the responsibility for securing their cloud footprint 
    • Hyperscalers (AWS, GCP, MS Azure) submitted CAIQv4s in CSA's Registry are to be used as basis to formulate the SSRM guidelines
    • First SSRM guidelines draft is expected by June 2023, project completion in October 2023
    • Experts are welcome to participate in the project and contribute to the SSRM guidelines development



    2. CCM-Lite Development
    • Project objective is to present a lightweight CCMV4 of a minimum set of baseline foundational cloud security requirements.
    • CCM-Lite is planned to be a cost-effective solution that can be adopted by low-risk profile cloud organizations (SMEs) and allow them to implement & demonstrate "basic cloud-security hygiene".
    • The current draft 'CCM-Lite' version has been reviewed by the CCM WG and it is now processed by the CCM Leadership team to consolidated provided feedback
    • Final draft version of 'CCM-Lite' will be placed for open peer review to the wider CSA community and partners according to the timeline below.


      3. CCMv4 - NIST CSF v1.1 Mapping Project
      • The CCM WG is conducting a mapping project between CCMv4 and NIST CSFv1.1. 
      • The project involves both a mapping and gap analysis and aims to identify the requirements 'overlaps' and 'deltas' between the two (2) frameworks.
      • Gap analysis aims to identify possible gaps that NIST CSF has when compared to CCMv4.
      • Mapping is expected to be completed by 9/2 and then a joint review involving the NIST CSF team is expected to follow.
      Snapshot of "progress status" tab of the mapping tool is shared below.


      4. CSA - Singapore Cyber Security Agency (SI-CSA) Partnership (Call for Participation)

      • CSA and Singapore's CSA established partnership involves a mapping between CCMv4 and SI-CSA's Cyber Trust Mark and Cyber Essentials.
      • First mapping project between the CCMv4 and Cyber Essentials has been delivered to SI-CSA on 30/11.
      • Second mapping between CCMv4 and Cyber Trust Mark is going to kick-off on 2/2.
      • Experts are welcome to participate in the project and contribute to the Mapping.

      5. CCMv4 - PCI DSS v4 Mapping Project (Call for Participation)
      • Project is expected to kick-off by end of February.
      • The project aims at conducting both a mapping and gap analysis to identify the requirements 'overlaps' and 'deltas' between the two (2) frameworks.
      • Experts are welcome to participate in the project and contribute to the Mapping. 

      6. CSA Chapter mappings
      • CSA and the Spanish chapter have completed and published a mapping and CCMv4 addendum to Spain's National Cyber Security Framework.
      • Mapping is published at CSA's website.
      7. AoB
      • Please navigate to the 'Events' tab here in Circle to find the call information for the upcoming CCM WG meetings.

      Action Points (APs)
      Actions points are defined within each individual project.

      Feel free to reach out should you have any questions or comments on the above.
      Thank you all for your being active and supporting the CCMv4 development & evolution of the standard.
      Best regards,


      ------------------------------
      Eleftherios Skoutaris
      Program Manager
      Cloud Security Alliance
      ------------------------------