Cloud Security Alliance’s STAR Registry Now Accepting Version 4 of CAIQ

SEATTLE – Aug. 19, 2021 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment, is pleased to announce that cloud service providers (CSPs) are now able to submit a completed Consensus Assessment Initiative Questionnaire v4 (CAIQv4) to its Security, Trust, Assurance, and Risk (STAR) Registry using CSA’s automated submission process.

CAIQ v4 offers an industry-accepted way to document what security controls exist in IaaS, PaaS, and SaaS services, providing security control transparency. It provides a set of Yes/No questions a cloud consumer and cloud auditor may wish to ask of a cloud provider to ascertain their compliance to the Cloud Controls Matrix (CCM), and enables cloud service customers (CSC) to gauge the security posture of prospective cloud service providers and determine if their cloud services are suitably secure. For the CSP, publishing this information to the publicly accessible STAR Registry reduces complexity and helps alleviate the need to fill out multiple customer questionnaires, while cloud consumers and auditors, meanwhile, can determine which regulations, standards, and frameworks a CSP adheres to.

Earlier this year, the CSA made several updates to CAIQ, including:

• a more streamlined set of questions (261 compared to 310 in the previous version)
• changes in the structure of the document used for the submissions to STAR Registry Level 1
• additional sections related to the Shared Security Responsibility Model (SSRM), which lets CSPs better describe the allocation of the responsibility for the implementation of a CCMv4 control. The new feature not only allows the CSP to further explain what it is doing to satisfy the requirements for which it’s responsible, but also what the CSC is expected to do in order to comply with its responsibilities.

With CSA now accepting CAIQ v4 submissions to STAR Level 1, users should note that there are two separate versions of the CAIQ:

1. CCM + CAIQ v4: Includes only the questionnaire and is folded into the CCM file. This version cannot be used to submit to STAR.
2. STAR Level 1: Security Questionnaire (CAIQ v4): This must be used to submit to the STAR registry. CSPs will need to download and complete this version, which includes all the necessary features, including the SSRM.

The previous version of the security questionnaire, CAIQ v3.1, is being phased out and will only be available to submit to the registry until May 2022.

Learn more about the submission process.

CSA’s SECtember (Meydenbauer Center, Bellevue, WA, Sept. 13-16), the first global event dedicated to the intersection of cloud and cybersecurity, will feature a Compliance track, as well as sessions on CSA’s STAR Program. Rate for the full conference is $399; registration rate for students and government employees is $250. Register now.

About Cloud Security Alliance
The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, training, certification, events, and products. CSA's activities, knowledge, and extensive network benefit the entire community impacted by cloud — from providers and customers to governments, entrepreneurs, and the assurance industry — and provide a forum through which different parties can work together to create and maintain a trusted cloud ecosystem. For further information, visit us at www.cloudsecurityalliance.org, and follow us on Twitter @cloudsa.