Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Join AT&T Cybersecurity in Chicago to learn top 2024 resilience tactics on May 21st!

Publication Peer Review

Home
Publications
CCMV4 SSRM Implementation Guidelines
CCMV4 SSRM Implementation Guidelines

CCMV4 SSRM Implementation Guidelines

Open Until: 01/04/2024

Cloud Security Alliance (CSA) and the Cloud Controls Matrix (CCM) WG would like to invite cloud organizations and cloud security experts to participate in this open peer review of the “Final Draft” version of the CCM V4 control ownership & implementation guidelines that is developed according to the Cloud Shared Security Responsibility Model (SSRM).

Purpose and Scope of CCM V4 SSRM Project
The Shared Security Responsibility Model (SSRM) is inherent to the use of cloud services. It is essential that cloud service customers (CSCs) are fluent and current in understanding how they and their cloud service providers (CSPs) share the responsibility for securing their cloud footprint. 

The CSA, the CCM WG and our industry partners are interested in extending the CCM V4 framework by developing SSRM implementation guidelines for the 17 security domains and the total of 197 control specifications in the CCM. The objective is to aid cloud stakeholders implement the CCM controls by delineating their security responsibilities within the shared cloud infrastructure.

Peer Review Objective
The objective of this review is twofold:

1. Assess SSRM Guidelines Usefulness. 
The invitation is especially targeting Cloud organizations that are new to the cloud and are seeking for a comprehensive SSRM implementation guidance that is tailored to the CCM V4 controls, enabling them to better understand the controls semantics, the CSP and CSC responsibilities and how the controls should be implemented by each party & according to each service model (IaaS/PaaS/SaaS). Your feedback is valuable to help CSA and the CCM WG evaluate the ‘practical’ usefulness of the SSRM guidelines for you and your organization, and improve them if/where needed.

2. Assess SSRM Guidelines Correctness & Completeness.
The invitation is also extended towards Cloud organizations with mature cloud security programs and highly experienced cloud security experts who are eager to help CSA and the CCM WG to improve the SSRM guidelines by identifying possible areas where these might be incomplete and/or incomprehensible.

Peer Review Duration
The duration of the peer review is going to be set for 30 calendar days starting from the date of publication.
After this period, the CCM WG and its co-chairs are going to work alongside the hyperscalers (Google, AWS, Microsoft) and cloud experts/organizations to consolidate the received feedback into an CCM V4 SSRM Implementation Guidelines final version.

Peer Review Guidance
To participate please follow the link to the review site. From there you should be able to navigate to Google Sheets and provide your comments. 
What you will see in the document are the CCM V4 controls and right below them the SSRM control ownership and implementation guidelines. CCM V4 controls are not in scope of this review.

Your comments are needed in alignment to the review criteria listed in section 2 of the shared document and the ‘Peer Review Objective’ section above.

Please do not provide editorial comments (i.e., grammar, formatting, etc.) but rather focus on the content of the document.


Peer review period has ended.