Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
CSA Startup Showcase
Member Portal
STAR Program
STAR Home
STAR Registry
STAR for AI
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Education
Online Education Platforms
CSA Training
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Trusted AI Safety Expert (TAISE)
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Strategic Initiatives
Explore CSA's Strategic Initiatives
AI Safety Initiative
Compliance Automation Revolution
Zero Trust Advancement Center
CxO Trust
FinCloud Security
Trusted Cloud Consultant
Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
CSA Startup Showcase
Member Portal
STAR Program
STAR Home
STAR Registry
STAR for AI
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Education
Online Education Platforms
CSA Training
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Trusted AI Safety Expert (TAISE)
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Strategic Initiatives
Explore CSA's Strategic Initiatives
AI Safety Initiative
Compliance Automation Revolution
Zero Trust Advancement Center
CxO Trust
FinCloud Security
Trusted Cloud Consultant
ChaptersEventsBlog
Register for DataSecAI 2025 in Dallas – Protect Data, Secure AI, and Drive Innovation

Introducing the SaaS Security Capability Framework (SSCF) v1.0: Raising the Bar for SaaS Security

Published 09/24/2025

Home
Industry Insights
Introducing the SaaS Security Capability Framework (SSCF) v1.0: Raising the Bar for SaaS Security
Written by Eleftherios Skoutaris, AVP of GRC Solutions, CSA EMEA.

 

Why SaaS Security Needs a Rethink

SaaS has changed everything. From collaboration tools to critical business applications, SaaS is now the default way organizations consume technology. But with this massive shift comes a big problem: security hasn’t kept up.

Most Third-Party Risk Management (TPRM) programs focus on a supplier’s overall organizational security (like SOC 2 reports and ISO certifications). What they don’t really assess is the actual security capabilities inside each SaaS application, nor do they guide enterprises towards leveraging those capabilities. That means enterprises end up with hundreds of apps that look compliant on paper but leave real security gaps in practice.

The recent open letter from JPMorgan Chase to its suppliers highlighted exactly this issue. They called out the lack of consistent SaaS security controls and urged the industry to do better. Without a clear baseline, enterprises, SaaS vendors, and security teams are all left trying to fill in the gaps on their own with a lot of duplicated effort and unnecessary risk.

 

Enter the SSCF v1.0

SSCF coverThat’s where the SaaS Security Capability Framework (SSCF) v1.0 comes in.

This project was driven by security leaders from MongoDB and GuidePoint Security, who rolled up their sleeves to lead the development effort. Alongside them, the Cloud Security Alliance (CSA) co-led by doing what it does best: bringing industry stakeholders together, applying its deep experience in building standards like the Cloud Controls Matrix (CCM v4), and guiding the work through a structured research lifecycle. CSA made sure SaaS providers, SaaS customers, auditors, and consulting firms all had a voice, so the framework reflects real-world needs.

The result? A practical, customer-facing framework of security capabilities that is ready to be adopted by SaaS vendors, providing consistency in security review and practices for SaaS customers and vendors, helping reduce the potential security risks.

"The SSCF v1.0 tackles a long-standing challenge in SaaS security: the lack of consistent, actionable controls. By focusing on practical solutions that both vendors and customers can implement, this framework bridges the gap between high-level compliance and real-world security needs. At GuidePoint Security, we’re proud to have worked alongside the Cloud Security Alliance and industry peers to create something that simplifies SaaS security for everyone involved," says Jonathan Villa, Senior Cloud Practice Director at GuidePoint Security.

Boris Sieklik, Senior Director, Security Engineering at MongoDB, adds, "The SSCF provides exactly what SaaS customers like us have been missing: a clear, standardized set of configurable controls that make it easier to evaluate, adopt, and securely operate SaaS applications."

Here’s what the SSCF sets out to do:

  • For TPRM teams: Provide a consistent baseline to make vendor risk assessments faster and more straightforward.
  • For SaaS vendors: Reduce the burden of repetitive questionnaires and differing assessments by aligning responses to a single, widely recognized standard.
  • For SaaS security engineers: Deliver a practical checklist to strengthen SaaS adoption and day-to-day security operations.

 

What’s Inside v1.0

The SSCF v1.0 lays out controls across six key security domains, which are adopted from CSA’s CCM v4:

  • Change Control and Configuration Management (CCC)
  • Data Security and Privacy Lifecycle Management (DSP)
  • Identity and Access Management (IAM)
  • Interoperability & Portability (IPY)
  • Logging and Monitoring (LOG)
  • Security Incident Management, E-Discovery, and Cloud Forensics (SEF)

These domains don’t replace frameworks like SOC 2 or ISO 27001, instead, they translate those high-level requirements into tangible SaaS security features that customers can actually configure and rely on. Think log delivery, SSO enforcement, secure configuration guidelines, and incident notification, all the things customers really need to run SaaS securely day to day.

 

Why This Matters

At its core, the SSCF is about reducing friction. Enterprises get more consistent security features across their SaaS portfolio and can create consistent implementation baselines across a highly varied SaaS landscape. Vendors know exactly what security controls will be expected. And everyone saves time by moving away from one-off assessments and toward a common baseline.

Most importantly, it builds trust. In a world where SaaS is now mission-critical, that trust is the difference between secure adoption and risky blind spots.

Valence Security’s Co-Founder and CTO, Shlomi Matichin, states, "In a world where the SSCF is widely adopted, organizations will be able to consume SaaS securely, at scale, and without incurred costs on security operations. The importance of the SSCF multiplies with the rapid adoption of agentic AI supercharging SaaS adoption and data movement."

 

What’s Next

SSCF v1.0 is just the beginning. The next phase of the project is already underway, and it’s focused on turning the framework into something even more actionable:

  • Implementation and auditing guidelines to help organizations put the controls into practice and for auditors to know how to effectively assess these controls.
  • An assessment and certification scheme that measures how effective those controls really are.

Together, these will help SaaS providers and customers move beyond checklists to real, measurable security improvements.

 

CSA is proud to have partnered with MongoDB, GuidePoint Security, and a wide community of lead contributors, including Grip Security, Obsidian Security, Valence Security, GitLab, Siemens, Kaufman Rossin, AppOmni, Band of Coders, and others to make SSCF v1.0 a reality. This first version lays the foundation for a more consistent, more secure, and more trusted SaaS ecosystem. And the work doesn’t stop here. The best is yet to come.

Identity and Access ManagementData SecurityRisk ManagementCloud Controls MatrixSaaS Governance

Share this content on your favorite social network today!

Cloud Assurance
Related Resources
STAR
The industry's standard for security assurance in the cloud.
Cloud Controls Matrix & CAIQ v4
The standard cybersecurity control framework.
Trusted Cloud Provider
Demonstrate your commitment to holistic security.
Latest from CSA
Take the Unstructured Data Security Survey
Register for the AI Agent Security Summit in San Francisco
Open Peer Review: Key Management in Cloud Services 2025
Unlock Cloud Security Insights

Unlock Cloud Security Insights

Choose the CSA newsletters that match your interests:

Subscribe to our newsletter for the latest expert trends and updates

Audit Cloud Providers with Confidence & Enroll in STAR Lead Auditor Training
Related Articles:
What is Protected Health Information (PHI)?

Published: 09/24/2025

Controls vs. Key Security Indicators: Rethinking Compliance for FedRAMP

Published: 09/23/2025

Do Your CI/CD Pipelines Need Identities? Yes.

Published: 09/22/2025

Identity Security: Cloud’s Weakest Link in 2025

Published: 09/19/2025