Cloud Controls Matrix

Dear members,
                      please find below a recent update to the current activities of the CCM WG and additional information on how you may contribute.

Brief summary:

• CCMv4 - CRI FS Profile mappings are completed and soon to be published.
• CCMv4 - IBM FSCF mappings projects are completed. Teams are working on the alignment of mapped controls between 'forward' and 'reverse' mappings.
• The CCM WG is mapping the CCMv4 to ISO/IEC 27001:2022 and 27002:2022. Work is in progress.
• CSA has established a partnership with ISF, involving a mapping between CCMv4 and SOGP (Experts are needed to participate).
• CCMv4 is encoded in OSCAL. CSA, CIS and NIST jointly working for the translation of mappings into OSCAL.
• CCM WG experts who have contributed to CSA CCMv4 related publications can now have their profiles displayed at the CSA website by filling out this form.

Please find below a comprehensive summary of activities and topics from recent CCM WG call sessions.

Agenda Items (AIs):

1. CSA - CRI Partnership
2. CSA - IBM Partnership
3. CSA - MPA/TPN Partnership
4. CSA - ISF Partnership
5. CSA - CIS OSCAL mappings
6. CCMv4 - ISO/IEC 27002:2022 mapping project
7. CSA Chapter mappings
8. CCMv4 SSRM Guidelines Dev. project
9. AoB

1. CSA - CRI Partnership

• The CSA and the Cyber Risk Institute (CRI) have teamed up to provide the financial community with a new cybersecurity framework that satisfies the security requirements of financial institutions adopting cloud computing technologies.
• The collaboration involved 2 mappings (forward and reverse) between CSA's CCMv4 and CRI's Financial Services Cybersecurity Profile v1.2 (FS Profile). 
• The objective of these mappings aimed at a win-win outcome. On one hand, for CRI to integrate cloud-specific controls into its "FS Profile" and on the other hand for CSA to identify & integrate financial sector-specific requirements into CCMv4.
• The mappings have been successfully completed and soon CSA will publish an 'CCMv4 Addendum to CRI FS Profile v1.2' following the recent CSA blog announcement on the topic.

2. CSA - IBM Partnership

• On the same footsteps with CRI, CSA has established a partnership with IBM to de-risk cloud environments and enrich cloud security baselines for the financial sector.
• The CSA CCM WG and IBM teams have been working closely together to conduct both "forward" and "reverse" mappings between CCMv4 and IBM cloud controls framework for financial services (FSCF). Both mappings have been successfully completed.
• CSA and IBM teams are currently working on the "alignment" of the controls' mappings between the two projects.
• This "alignment" activity is expected to be completed by mid of August.

3. CSA - MPA/TPN Partnership

• CSA and Motion Pictures Association (MPA) /Trusted Partner Network (TPN) have teamed up to support MPA/TPN on the development of its cloud controls framework and assessment program based on CCMv4 and STAR program.
• MPA/TPN offers security best practices for the protection of media content handled by cloud-enabled organizations, as example, major CSPs and major studio partners and media vendors that utilize cloud technologies to process and store content.
• In this development effort MPA adopted CSA's CCM v4.0 and requested from CSA and the CCM WG to review of MPA's framework & integrated CCM controls.
• The activity has been successfully completed.

4. CSA - ISF Partnership

• CSA has establish a partnership with the Internet Security Forum (ISF) with main objective the identification and possible integration of cloud security requirements into ISF's Standard of Good Practice (SOGP).
• The project activity will involve as expected 2 mappings (forward and reverse) between CCMv4 and ISF SOGP.
• Experts who are interested in participating in this mapping activity and have already some experience with leveraging CCMv4 are invited to contact me.

5. CSA - CIS OSCAL mappings

• CSA , CIS and NIST are discussing a means of developing a common language for the representation of their OSCAL-based (XML,JSON, YAML) encoded mappings for CCMv4 and CISv8 respectively.
• CSA and CIS mappings are currently presented with a varying methodology and terminology adopted.
• Objective of ongoing discussions is the possibility of alignment of encoded versions of mappings.

6. CCMv4 - ISO/IEC 27002:2022 mapping project

• The CCM WG is currently conducting a mapping and gap analysis between CCMv4 and ISO/IEC 27001:2022 and ISO/IEC 27002:2022.

Snapshot of "progress status" tab of the mapping tool is shared below.

7. CSA Chapter mappings

• The CSA UAE Chapter has conducted & delivered a mapping between CCMv4 and UAE IA Regulation (publication).
• The CSA Japan Chapter is currently conducting a mapping between CCMv4 and Japan's Information System Security Management and Assessment Program (ISMAP).

8. CCMv4 SSRM Guidelines Dev. project

• CSA would like to embark on a new project for developing guidelines that will be based on the Shared Security Responsibility Model (SSRM) and that are going to be tailored to each CCMv4 control specification.
• The project is currently at a planning phase in collaboration with AWS and CCM WG co-chair David Nickles.
• Experts/Organizations who have implemented CCM (or other cloud security frameworks), that have a good understanding of the SSRM and are interested in participating in this project, are kindly invited to contact me.

9. AoB

• Please navigate to the 'Events' tab here in Circle to find the call information for the upcoming CCM WG meetings.

Action Points (APs)
No action points defined.

Let me know if you have any questions or comments on the above.
Thank you all for your being active and supporting the CCMv4 development.
Best regards,

------------------------------
Eleftherios Skoutaris
Program Manager
Cloud Security Alliance
------------------------------