Cloud 101CircleEventsBlog
Join AT&T's experts & CSA's Troy Leach on April 4 to boost your cyber resilience in 2024!

CCM v4 FAQ - Transition Timeline

CCM v4 FAQ - Transition Timeline

Blog Article Published: 02/04/2021

This blog was updated on 12/17/21 with the latest information regarding the release of CCM v4 components.

On January 21st CSA released version 4 of the Cloud Controls Matrix (CCM). The new version ensures coverage of requirements deriving from new cloud technologies, new controls and enhanced interoperability and compatibility with other standards.

In this blog we will discuss the transition timeline for when organizations using the CCM in other CSA programs will need to start using version 4. We will also share the release timeline for the other CCM v4 components and answer questions around how the new version will affect:

  • Mappings with standards
  • Security Trust and Assurance Registry (STAR)
  • Consensus Assessment Initiative Questionnaire (CAIQ)
  • Certificate of Cloud Security Knowledge (CCSK)

CCM v4 Components Release Timeline

Item

Status

Release Date

CCM v4 Controls

Released

January 2021

Mappings (CCM v3.0.1, ISO27K, AICPA TSC)

Released

February 2021

CAIQ v4

Released

June 2021

Mappings (CISv8, AICPA TSC 2017)

Released

June 2021

Implementation Guidelines

Released

September 2021

Auditing Guidelines

Released

December 2021

CCM Lite and CCM-SaaS

Upcoming

2022

When will the CCM v4 mappings to other leading standards be available for usage?

The first set of mappings with CCM V3.0.1., ISO/IEC 27001/02/17/18 was released in February 2021

The CCM v4 is currently mapped to the following: ISO/IEC 27001/27002/27017/27018, CCM V3.0.1 and CIS Controls V8 and AICPA TSC . Additional mappings for PCI-DSS and NIST 8-53 Rev.5 are under development and other new mappings will also be added in the future.

When will the implementation and auditing guidelines be released?

The CCM v4 Implementation Guidelines were released in September. The implementation guidelines are a new addition to the CCM, their goal is to explain how to use the CCM and to support the users in better understanding and implementing the CCM controls. The implementation of CCM controls in a specific technological environment (e.g. AWS, Azure, GCP, etc) are beyond the scope of the Implementation Guidelines and for that purpose we encourage the users to collaborate with their peers in the dedicated CCM User Group in Circle.

The CCM v4 Auditing Guidelines were released in December. Similarly to the Implementation Guidelines, the Auditing Guidelines are a new additional component to the CCM. They explain how to approach the auditing and assessment of CCM controls and provide support to the auditors and auditees alike on how to evaluate the correct adoption of CCM controls.

When will CCM Lite and CCM for SaaS be released?

The CCM Lite and CCM-SaaS will be released in Q1 2022. The CCM Lite is a lightweight version of CCM which contains the foundational controls that any CSP regardless of their delivery model approach, size, complexity of the operations should implement, no matter what.

The CCM for SaaS is meant to define CCM controls that are specifically relevant to SaaS providers. At this point it’s still unclear the direction that this project will take. We are consulting with other stakeholders to verify the need/demand for such a new artifact.

STAR Program Transition Timeline

Item

Release Date

Started accepting both V4 as well as CCM V3.0.1 and CAIQ V3.1 for all STAR Levels.

August 2021

STAR Level 2 will only accept V4 for all new submissions

December 2021

STAR Level 1 will start accepting only V4 for all submissions.

July 2022

STAR Level 2 will require all submissions to be V4.

July 2022

CCM v3.0.1 and CAIQ 3.1 will be withdrawn. [1]

January 21, 2023

When will it be possible to use version 4 of the CAIQ and CCM for STAR Submissions? When will previous versions no longer be accepted?

Until December 2021 we'll accept both versions of the CAIQ and CCM. After December 2021, all the new submissions (i.e. those services that are joining the STAR Registry for the first time) shall be done using V4. The companies/services that were in the registry prior to December 2021, have a two year transition period to switch to the new version.

Will CCM v4 be used now for the STAR attestation or Certifications? Or is CCM v3.0.1 still accepted?

See the previous answer. While both versions are currently accepted, we strongly encourage organizations to adopt V4 as soon as possible.

Clarifications on STAR Attestations:

We are trying to be consistent with the AICPA's typical process in these cases. As an example, assume the AICPA issued new criteria related to SOC 2 as of Jan. 15, 2022. If a SOC engagement began prior to the issuance of new criteria, the evaluation could be made using the “old” criteria; if so, the report would state that. Even if the evaluation was performed over a period of time that overlapped the date on which the new criteria were issued, it may be more practical to use the “old” criteria; again, the report should state which was used. If the old criteria were used, the client must be updated at the next scheduled assessment and their attestation would be valid until that time. Similarly, as per our transition guidance, we would expect all new STAR Level 2 submissions as of December 1, 2021, to be done based on the CCM v4.

CCM 3.0.1 will continue to be allowed to be used through January 22, 2023, at which time these submissions will be considered superseded. During the transition period (from the publication date issued to January 22, 2023), practitioners’ reports using CCM should clearly distinguish whether the extant or the CCM v4 have been used.

Will CCM v4 impact the CCSK?

For the time being the CCSK curriculum and exam will remain as is, and CCM v4 won't affect it in any way. This means when taking the exam, if you have a question related to the CCM (for example: the number of domains), it will still refer to CCM v3.0.1.


[1] Withdrawn means it is no longer relevant. No further work will be done to maintain or update a withdrawn standard. Withdrawn standards are therefore still available in the CSA archives for reference only (though will be marked as withdrawn).

Share this content on your favorite social network today!