Cloud Controls Matrix

  • 1.  To what other standard/framework CCM V4 should be mapped to?

    Posted May 19, 2023 06:03:00 AM

    Dear members,

    Mappings are a useful tool for cloud organizations to identify the equivalent (overlapping) security requirements between CCM V4 and a target framework, and more importantly the missing cloud-specific CCM security requirements (deltas), especially when cloud organizations are seeking to integrating these missing requirements within their cloud security and compliance programs.

    The CCM V4 is currently mapped with the following frameworks:

    • AICPA TSC (2017)
    • CCM v3.0.1
    • CIS v8.0
    • ISF SOGP 2022
    • ISO/IEC 27001 (2013, 2022)
    • ISO/IEC 27002 (2013, 2022)
    • ISO/IEC 27017 (2015)
    • ISO/IEC 27018 (2019)
    • NIST 800-53r5
    • PCI DSS v3.2.1

    Mapping to NIST CSF v1.1 is completed and soon is to be published.
    Mapping to PCI DSS V4 is in progress.

    What are other frameworks the CCM WG should prioritize to map CCM V4 with, and more importantly, why?



    ------------------------------
    Eleftherios Skoutaris
    Program Manager
    Cloud Security Alliance
    ------------------------------


  • 2.  RE: To what other standard/framework CCM V4 should be mapped to?

    Posted May 22, 2023 08:57:00 AM

    How about the FedRAMP (Moderate or High?) version of the NIST 800-53 controls and baseline?
    Which NIST baseline did we use to determine the control set for the 800-53 V5 mapping - Low, Moderate, High?



    ------------------------------
    Erik Johnson CCSK, CCSP, CISSP, PMP
    Senior Research Analyst
    Cloud Security Alliance
    [email protected]
    ------------------------------

    Original Message


  • 3.  RE: To what other standard/framework CCM V4 should be mapped to?

    Posted May 24, 2023 01:24:00 AM

    Hi Erik,
    Thank you for your reply.
    FedRAMP is a framework the CCM WG & leadership team should definitely consider mapping to CCM V4.
    Whether or not it is finally selected depends on various factors (e.g., in terms of prioritization, leadership support).
    The High Impact control set of 800-53r5 is currently mapped to CCM V4.





    ------------------------------
    Eleftherios Skoutaris
    Program Manager
    Cloud Security Alliance
    ------------------------------

    Original Message


  • 4.  RE: To what other standard/framework CCM V4 should be mapped to?

    Posted Jun 01, 2023 01:34:00 AM

    Thank you again for your oustanding continuous work and efforts.

    I guess the CCM V4 or V5 should map also the ISO 22301, Mitre Cyber Resiliency Engineering Framework (CREF) and NIST Special Publication 800-160, Volume 2 Revision 1
    The main reason are because the resiliency is the latest options we do have to mitigate all risks scenarios and the best way in fine to secure the informations systems and keep on doing business or maintaining a prosperous activity :)
    Have a nice
    M. Yacouba BAMBA
    Senior Security Architect
    EMBA Risks Management - International Security & CyberSecurity
    Courriel : [email protected]
    Mobile : +33622012439
    ***********************************************************************************************
    Ce message et toutes les pièces jointes sont confidentiels et établis à
    l'intention exclusive de son ou ses destinataires. Si vous avez reçu ce message
    par erreur, merci d'en avertir immédiatement l'émetteur et de détruire le message.
    Toute modification, édition, utilisation ou diffusion non autorisée est interdite.
    L'émetteur décline toute responsabilité au titre de ce message s'il a été modifié,
    déformé, falsifié, infecté par un virus ou encore édité ou diffusé sans autorisation.
    ________________________________________________________________
    This message and any attachments are confidential and intended for the named
    addressee(s) only. If you have received this message in error, please notify
    immediately the sender, then delete the message. Any unauthorized modification,
    edition, use or dissemination is prohibited.
    The sender does not be liable for this message if it has been modified, altered,
    falsified, infected by a virus or even edited or disseminated without authorization.
    ***********************************************************************************************








    Original Message