Cloud Security Alliance Announces Cloud Controls Matrix (CCM) Update, Mapping to National Institute of Standards and Technology’s (NIST) Cybersecurity Framework v1.1

Mapping identifies areas of equivalence, gaps, and misalignment between CCM and NIST standards

SEATTLE – June 20, 2023 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications and best practices to help ensure a secure cloud computing environment, today announced the mapping of its flagship Cloud Controls Matrix (CCM) to the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity 1.1, more widely known as the Cybersecurity Framework (CSF). Drafted by the CCM Working Group, this mapping identifies the equivalence, gaps, and misalignment between the control specifications of the CCM v4 and NIST’s Cybersecurity Framework and allows for more streamlined compliance. Additionally, the Working Group announced a minor update to CCM from v4.0.7 to v4.0.8.

“This mapping serves to align CCM v4 with an additional standard and assists cloud organizations with their cloud security and compliance programs, while the update strengthens CCM’s position as the cloud security industry’s preferred control framework,” said Lefteris Skoutaris, Program Manager and Research Analyst, Cloud Security Alliance EMEA.

The additional mapping brings the total number of mappings to 11. The CCM Working Group previously mapped CCM v4 to the following standards: AICPA TSC (2017), CCM v3.0.1, CIS v8.0, ISF SOGP 2022, ISO/IEC 27001 (2013, 2022), ISO/IEC 27002 (2013, 2022), ISO/IEC 27017 (2015), ISO/IEC 27018 (2019), NIST 800-53r5, and PCI DSS v3.2.1.

“As cybersecurity practitioners, Weaver believes there is great value in the extensibility of additional mappings, including the leverage they provide organizations when considering activities and practices across dynamic technology environments” said Eric Peeters, Senior Manager, Weaver.

The CCM is a cybersecurity control framework for cloud computing and is composed of 197 control objectives that are structured in 17 domains, covering all key aspects of cloud technology. It can be used as a tool for the systematic assessment of a cloud implementation, and provides guidance on which security controls should be implemented by which actor within the cloud supply chain. The controls framework is aligned to the CSA Security Guidance for Cloud Computing, and is considered a de-facto standard for cloud security assurance and compliance.

About Cloud Security Alliance
The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, training, certification, events, and products. CSA's activities, knowledge, and extensive network benefit the entire community impacted by cloud — from providers and customers to governments, entrepreneurs, and the assurance industry — and provide a forum through which different parties can work together to create and maintain a trusted cloud ecosystem. For further information, visit us at www.cloudsecurityalliance.org, and follow us on Twitter @cloudsa.

Media Contacts
Kristina Rundquist
ZAG Communications for CSA
[email protected]