Cloud 101CircleEventsBlog
Register for CSA’s free Virtual Cloud Trust Summit to tackle enterprise challenges in cloud assurance.

Publication Peer Review

CCMV4 SSRM Implementation Guidelines
CCMV4 SSRM Implementation Guidelines

CCMV4 SSRM Implementation Guidelines

Open Until: 01/04/2024

Cloud Security Alliance (CSA) and the Cloud Controls Matrix (CCM) WG would like to invite cloud organizations and cloud security experts to participate in this open peer review of the “Final Draft” version of the CCM V4 control ownership & implementation guidelines that is developed according to the Cloud Shared Security Responsibility Model (SSRM).

Purpose and Scope of CCM V4 SSRM Project
The Shared Security Responsibility Model (SSRM) is inherent to the use of cloud services. It is essential that cloud service customers (CSCs) are fluent and current in understanding how they and their cloud service providers (CSPs) share the responsibility for securing their cloud footprint. 

The CSA, the CCM WG and our industry partners are interested in extending the CCM V4 framework by developing SSRM implementation guidelines for the 17 security domains and the total of 197 control specifications in the CCM. The objective is to aid cloud stakeholders implement the CCM controls by delineating their security responsibilities within the shared cloud infrastructure.

Peer Review Objective
The objective of this review is twofold:

1. Assess SSRM Guidelines Usefulness. 
The invitation is especially targeting Cloud organizations that are new to the cloud and are seeking for a comprehensive SSRM implementation guidance that is tailored to the CCM V4 controls, enabling them to better understand the controls semantics, the CSP and CSC responsibilities and how the controls should be implemented by each party & according to each service model (IaaS/PaaS/SaaS). Your feedback is valuable to help CSA and the CCM WG evaluate the ‘practical’ usefulness of the SSRM guidelines for you and your organization, and improve them if/where needed.

2. Assess SSRM Guidelines Correctness & Completeness.
The invitation is also extended towards Cloud organizations with mature cloud security programs and highly experienced cloud security experts who are eager to help CSA and the CCM WG to improve the SSRM guidelines by identifying possible areas where these might be incomplete and/or incomprehensible.

Peer Review Duration
The duration of the peer review is going to be set for 30 calendar days starting from the date of publication.
After this period, the CCM WG and its co-chairs are going to work alongside the hyperscalers (Google, AWS, Microsoft) and cloud experts/organizations to consolidate the received feedback into an CCM V4 SSRM Implementation Guidelines final version.

Peer Review Guidance
To participate please follow the link to the review site. From there you should be able to navigate to Google Sheets and provide your comments. 
What you will see in the document are the CCM V4 controls and right below them the SSRM control ownership and implementation guidelines. CCM V4 controls are not in scope of this review.

Your comments are needed in alignment to the review criteria listed in section 2 of the shared document and the ‘Peer Review Objective’ section above.

Please do not provide editorial comments (i.e., grammar, formatting, etc.) but rather focus on the content of the document.

Peer review period has ended.