Cloud Security Alliance Announces Additional Mappings Between Cloud Controls Matrix (CCM) and National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF)

Mapping identifies misalignment and gaps between updated CCM and CSF

RSA Conference (San Francisco) – May 8, 2024 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment, today announced an additional mapping and gap analysis between its flagship Cloud Controls Matrix (CCM) and the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) v2.0.

Drafted by the CCM Working Group, this mapping serves to align CCM with CSF and to identify the equivalence, gaps, and misalignment between the control specifications of the two frameworks, allowing for more streamlined compliance. Cloud organizations can leverage this mapping to derive numerous key benefits, enhancing their cloud security and compliance programs.

“By expanding upon the CCM’s current mapping to NIST’s Cybersecurity Framework we are not only providing a means to aligning an organization's cloud security and compliance efforts, but ensuring that every step forward is in the right direction,” said Lefteris Skoutaris, Program Manager and Research Analyst, Cloud Security Alliance, EMEA.

Additionally, the Cloud Controls Matrix (CCM) Working Group would like to announce a new minor update to CCM v4.0.11. This update and release incorporates the additional mapping of CCMv4.0 with NIST CSF v2.0. This update serves to strengthen CCM’s position as the cloud security industry’s preferred control framework.

This additional mapping brings the total number of mappings to 15. The CCM Working Group previously mapped CCM to the following standards: NIST 800-53r5, NIST CSF v1.1 and v2.0, PCI DSS v3.2.1 and v4.0, ISO/IEC 27001 (2013, 2022), ISO/IEC 27002 (2013, 2022), ISO/IEC 27017 (2015), ISO/IEC 27018 (2019), AICPA TSC (2017), CIS v8.0, ISF SOGP 2022 and CCM v3.0.1. Additional mappings are under development and will be added in the future.

The Cloud Controls Matrix (CCM) is a cybersecurity control framework for cloud computing, composed of 197 control objectives structured in 17 domains, covering all key aspects of the cloud technology. It can be used as a tool for the systematic assessment of a cloud implementation, and provides guidance on which security controls should be implemented by which actor within the cloud supply chain. The controls framework is aligned to the CSA Security Guidance for Cloud Computing and is considered a de-facto standard for cloud security assurance and compliance.

Along with releasing updated versions of the CCM and CAIQ, the Cloud Controls Matrix Working Group provides control mappings, gap analysis, and addendums between the CCM and other industry standards and regulations to keep it continually up-to-date. Those interested in participating in the working group or its research are invited to join.

The CCM is a free resource and is available for download now.

About Cloud Security Alliance
The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, training, certification, events, and products. CSA's activities, knowledge, and extensive network benefit the entire community impacted by cloud — from providers and customers to governments, entrepreneurs, and the assurance industry — and provide a forum through which different parties can work together to create and maintain a trusted cloud ecosystem. For further information, visit us at www.cloudsecurityalliance.org, and follow us on Twitter @cloudsa.

Media Contacts
Kristina Rundquist
ZAG Communications for CSA
[email protected]