Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

CSA Official Press Release

Published 06/20/2023

Cloud Security Alliance Announces Cloud Controls Matrix (CCM) Update, Mapping to National Institute of Standards and Technology’s (NIST) Cybersecurity Framework v1.1

Cloud Security Alliance Announces Cloud Controls Matrix (CCM) Update, Mapping to National Institute of Standards and Technology’s (NIST) Cybersecurity Framework v1.1

Mapping identifies areas of equivalence, gaps, and misalignment between CCM and NIST standards

SEATTLE June 20, 2023 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications and best practices to help ensure a secure cloud computing environment, today announced the mapping of its flagship Cloud Controls Matrix (CCM) to the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity 1.1, more widely known as the Cybersecurity Framework (CSF). Drafted by the CCM Working Group, this mapping identifies the equivalence, gaps, and misalignment between the control specifications of the CCM v4 and NIST’s Cybersecurity Framework and allows for more streamlined compliance. Additionally, the Working Group announced a minor update to CCM from v4.0.7 to v4.0.8.

“This mapping serves to align CCM v4 with an additional standard and assists cloud organizations with their cloud security and compliance programs, while the update strengthens CCM’s position as the cloud security industry’s preferred control framework,” said Lefteris Skoutaris, Program Manager and Research Analyst, Cloud Security Alliance EMEA.

The additional mapping brings the total number of mappings to 11. The CCM Working Group previously mapped CCM v4 to the following standards: AICPA TSC (2017), CCM v3.0.1, CIS v8.0, ISF SOGP 2022, ISO/IEC 27001 (2013, 2022), ISO/IEC 27002 (2013, 2022), ISO/IEC 27017 (2015), ISO/IEC 27018 (2019), NIST 800-53r5, and PCI DSS v3.2.1.

“As cybersecurity practitioners, Weaver believes there is great value in the extensibility of additional mappings, including the leverage they provide organizations when considering activities and practices across dynamic technology environments” said Eric Peeters, Senior Manager, Weaver.

The CCM is a cybersecurity control framework for cloud computing and is composed of 197 control objectives that are structured in 17 domains, covering all key aspects of cloud technology. It can be used as a tool for the systematic assessment of a cloud implementation, and provides guidance on which security controls should be implemented by which actor within the cloud supply chain. The controls framework is aligned to the CSA Security Guidance for Cloud Computing, and is considered a de-facto standard for cloud security assurance and compliance.

About Cloud Security Alliance
The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, training, certification, events, and products. CSA's activities, knowledge, and extensive network benefit the entire community impacted by cloud — from providers and customers to governments, entrepreneurs, and the assurance industry — and provide a forum through which different parties can work together to create and maintain a trusted cloud ecosystem. For further information, visit us at www.cloudsecurityalliance.org, and follow us on Twitter @cloudsa.

Media Contacts
Kristina Rundquist
ZAG Communications for CSA
[email protected]

Share this content on your favorite social network today!

About Cloud Security Alliance

The Cloud Security Alliance is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The Cloud Security Alliance is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders. For further information, follow us on Twitter @cloudsa.

For press inquiries, email Zenobia Godschalk of ZAG Communications or reach her by phone at 650.269.8315.