Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
CSA Startup Showcase
Member Portal
STAR Program
STAR Home
STAR Registry
STAR for AI
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Education
Online Education Platforms
CSA Training
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Trusted AI Safety Expert (TAISE)
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Controls
AI Safety
Enterprise Architecture
Blockchain
Zero Trust
Top Threats
Strategic Initiatives
Explore CSA's Strategic Initiatives
AI Safety Initiative
Compliance Automation Revolution
Zero Trust Advancement Center
CxO Trust
FinCloud Security
Trusted Cloud Consultant
Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
CSA Startup Showcase
Member Portal
STAR Program
STAR Home
STAR Registry
STAR for AI
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Education
Online Education Platforms
CSA Training
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Trusted AI Safety Expert (TAISE)
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Controls
AI Safety
Enterprise Architecture
Blockchain
Zero Trust
Top Threats
Strategic Initiatives
Explore CSA's Strategic Initiatives
AI Safety Initiative
Compliance Automation Revolution
Zero Trust Advancement Center
CxO Trust
FinCloud Security
Trusted Cloud Consultant
ChaptersEventsBlog
Register for the Visibility is Velocity webinar on Oct 28 to learn how leading IT teams turn insights into real-time action.

Implementing CCM: Supply Chain Management Controls

Published 10/24/2025

Home
Industry Insights
Implementing CCM: Supply Chain Management Controls

The Cloud Controls Matrix (CCM) is a framework of controls that are essential for cloud computing security. Created by CSA, the CCM aligns with CSA best practices.

You can use CCM to systematically assess and guide the security of any cloud implementation. CCM also provides guidance on which actors within the cloud supply chain should implement which security controls. Both cloud service customers (CSCs) and cloud service providers (CSPs) use CCM in many ways.

CSCs use CCM to:

  • Assess the cloud security posture of current or potential cloud vendors. If a cloud vendor isn’t transparent about their security controls, the risk of doing business with them can be quite high.
  • Compare vendors’ level of compliance with relevant standards like ISO 27001.
  • Clarify the security roles and responsibilities between themselves and the CSP.

CSPs use CCM to:

  • Assess, establish, and maintain a robust and internationally accepted cloud security program. CCM helps solidify CSPs' positions as trusted and transparent providers of cloud services.
  • Compare their strengths and weaknesses against those of other organizations.
  • Document controls for multiple standards in one place. CSA has mapped the controls in CCM against several industry-accepted security standards, regulations, and control frameworks.

CCM contains 197 control objectives structured into 17 domains that cover all key aspects of cloud technology:

CCM Domains

list of the 17 ccm domains

Today we’re looking at implementing the fifteenth domain of CCM: Supply Chain Management, Transparency, and Accountability (STA). The STA domain includes fourteen control specifications designed to help CSPs and CSCs manage supply chain risks and ensure security across the entire technology stack. These controls support the protection of confidentiality, integrity, and availability of information, applications, and services while ensuring regulatory compliance throughout the supply chain. The controls are:

  1. SSRM Policy and Procedures
  2. SSRM Supply Chain
  3. SSRM Guidance
  4. SSRM Control Ownership
  5. SSRM Documentation Review
  6. SSRM Control Implementation
  7. Supply Chain Inventory
  8. Supply Chain Risk Management
  9. Primary Service and Contractual Agreement
  10. Supply Chain Agreement Review
  11. Internal Compliance Testing
  12. Supply Chain Service Agreement Compliance
  13. Supply Chain Governance Review
  14. Supply Chain Data Security Assessment

These controls can be divided into two categories:

  • Controls that are performed collaboratively by both the customer and the provider (joint controls)
  • Controls that are performed separately but must be carried out by both parties (independent controls)

 

Overview of the STA Controls

A chain is only as strong as its weakest link, and that's true in cloud supply chains as well.  The STA domain begins with policies and procedures. This control requires you to lay out how you're going to apply the shared security responsibility model (SSRM) through your documented, approved, communicated, and annually reviewed policies.

STA Controls 2 through 4 discuss implementing and documenting the SSRM. Controls 5 and 6 cover documentation review, where you validate your SSRM implementation. You also ensure that your SSRM makes sense for your organization and the relationship between the customer and provider.

Control 7 makes sure that you actually know the supply chain relationships that exist. Control 8 involves evaluating the risk factors across all your supply chain entities. Controls 9 and 10 cover mutually agreed upon provisions and the annual reviews you should conduct.

Controls 11, 12, and 13 cover compliance testing. Looking through your service agreements to make sure your supply chain partners are also meeting security and privacy requirements. 13 specifically looks at the governance level to make sure your partners in the supply chain have the right policies and practices in place.

Finally, Control 14 helps make sure that you have defined and are conducting security assessments up and down the supply chain for all your supply chain organizations.

 

Honing in on the STA Shared Security Responsibility Model

Under the SSRM, CSPs are responsible for securing and managing their own supply chain and maintaining operational transparency. CSCs need to assess the risks associated with their chosen CSPs and supply chain vendors. Effective collaboration in implementing STA controls fosters transparency and accountability between CSPs and CSCs, leading to a more secure and resilient supply chain.

 

A Note on CSP Responsibilities

The responsibilities that fall solely on the CSP are not something that the customer should need to figure out. The provider should be clear and transparent about who should be operating which parts of the SSRM. They should not leave the customer to guess. The CSP, the one who’s controlling the environment, should provide guidance to the customer about securing themselves on the platform.

 

Shared Dependent Controls

Shared dependent controls are where both parties work together to define, document, and manage the responsibilities. This includes STA Controls 2, 5, and 6.

These controls discuss document review and control implementation. Each party must review, clarify, and formally agree on their own roles and responsibilities. They also must monitor their own assigned controls.

These controls depend on each other because while the CSC and CSP have their own controls that they assess, the CSC also needs the CSP's assessment. The CSP should prepare to share that assessment with current and potential customers. They should make it clear in their contracts exactly what controls they share with the customer and how that sharing happens.

This brings us to Control 9, which is about outlining the minimum terms that have to be agreed upon between the provider and customer. This list should at least include the CCM requirements. You cannot simply discuss them or write them down informally during the sales process. You have to include them in the contract.

Since they're in writing, legal advisors definitely need to be familiar with these cloud contracts as well. The CCM Implementation Guidelines can help them get a better understanding of what the controls are trying to achieve.

Finally, STA Control 10 says that you need to perform reviews at least annually. This is not only about having an annual checkbox. Reviews are also about making sure that the controls are effective and the risk assessments and audits that support those controls are in place.

This is the time to make changes and realign. You want to make sure that your contracts are effective. Don’t be afraid to make changes to the contracts or to the providers underneath the contracts.

 

Shared Independent Controls

The first shared independent control is Control 1, SSRM Policies and Procedures. This control focuses on how you’re implementing the shared security responsibility model. You want to define your objectives:

  • Why are you implementing it this way?
  • What are the roles and responsibilities for making sure that the SSRM gets implemented and upheld?
  • What are the decision making processes and the communication flows?
  • How do you integrate the policies into your service contracts?

Control 12 focuses on supply chain service agreement compliance. This is where you make sure that all partners in your supply chain, as well as their partners, have adequate security measures that they're contractually required into.

STA Controls 7 and 8 are also great examples of being independent but shared controls. For example, your supply chain inventory is not going to be something that both parties share. One party can't make an inventory for the other. Similarly, evaluating risk factors and leveraging that data is going to be independent for each of the organizations involved.

Control 11, Internal Compliance Testing, is about making sure that the agreed controls are functioning as expected. Governance reviews should be done to evaluate supply chain partners and make sure that they're within the expectations defined in the policies.

 

Risks That Are Addressed by the STA Domain

  • The CSP or CSC is not aware of their responsibilities. This results in unaddressed security risks. Use the SSRM and CCM to ensure that both the CSP and CSC are in agreement with who's responsible for each control.
  • The CSP or CSC does not define and implement the controls properly. Use the CCM Implementation Guidelines to detail exactly how to put the control objectives in place.
  • A breach occurs in an organization that's in the supply chain. The STA domain is all about having good supply chain transparency and accountability. This allows us to identify and manage incidents throughout that supply chain, not just if they happen under our own nose. The best practice is to establish and document clear coordination points between organizations for operations and response.
  • The contractual agreement isn't clear enough or there's transparency issues in the language. The best practice here is using the SSRM to go beyond just the contractual agreement. While you definitely want to use a contract, you also want to have additional documentation and go through the work to make sure that you know who is doing what.
  • A break in the supply chain leads to an availability incident. We've seen massive availability outages because of components in the supply chain. Go through standardized due diligence practices to be able to assess the level of readiness of a CSP. Do your work to evaluate supply chain risks holistically and on a regular basis.

 

Final Thoughts

The more preparation that each side does, the more ready they’ll be to have these conversations and use tools like the CCM. You can find all the details and guidance that we discussed today, and much more, in the CCM Implementation Guidelines.

Keep in mind, especially if your organization is adopting a new cloud service, how much the CCM can do for you. (Also it’s free to download and use!) It helps you:

  • Check if you're properly applying security objectives throughout the domains
  • Develop policies and review them regularly
  • Clarify contracts and provisions between the customer and the provider
  • Achieve compliance across cloud environments
  • Cover all the security objectives a multi-cloud organization requires

Finally, learn how to implement the other CCM domains by reading the rest of the blogs in this series. Be on the lookout for the next installation: Threat & Vulnerability Management.

Data SecurityComplianceShared Responsibility ModelRisk ManagementCloud Controls Matrix

Share this content on your favorite social network today!

Cloud Assurance
Related Resources
STAR
The industry's standard for security assurance in the cloud.
Cloud Controls Matrix & CAIQ v4
The standard cybersecurity control framework.
Trusted Cloud Provider
Demonstrate your commitment to holistic security.
Latest from CSA
Lead in Responsible AI: Enroll Now in the Trusted AI Safety Expert (TAISE)
The Global Framework for Responsible AI Assurance
Register for the Oct 28 Webinar on Visibility in ITOps
Unlock Cloud Security Insights

Unlock Cloud Security Insights

Choose the CSA newsletters that match your interests:

Subscribe to our newsletter for the latest expert trends and updates

Audit Cloud Providers with Confidence & Enroll in STAR Lead Auditor Training
Related Articles:
AI-Integrated Cloud Pentesting: How LLMs Are Changing the Game

Published: 10/24/2025

Science Stymied by Spreadsheets? Modernizing DOE Compliance

Published: 10/23/2025

Cloud Security Alliance Launches STAR for AI, Establishing the Global Framework for Responsible and Auditable Artificial Intelligence

Published: 10/23/2025

The Reasoning Revolution: When Logs Finally Explain "Why"

Published: 10/22/2025