What is the Cloud Controls Matrix (CCM)?
By Eleftherios Skoutaris, Program Manager for CCM Working Group at Cloud Security Alliance
What is the Cloud Controls Matrix?
The CSA Cloud Controls Matrix (CCM) is a cybersecurity control framework for cloud computing. It is a spreadsheet that lists 16 domains covering all key aspects of cloud technology. Each domain is broken up into 133 control objectives. It can be used as a tool to systematically assess cloud implementation, by providing guidance on which security controls should be implemented by which actor within the cloud supply chain.The controls framework is aligned to the Security Guidance v4 and is currently considered a de-facto standard for cloud security assurance and compliance. The translated versions of CCM v3 are available here.
Map to Standards, Regulations and Controls Frameworks
The controls in the CCM are mapped against industry-accepted security standards, regulations, and control frameworks.
The CCM v4 is currently mapped to the following:
- ISO/IEC 27001/27002/27017/27018
- CCM V3.0.1
- CIS Controls V8.
- Additional mappings for AICPA TSC, PCI-DSS and NIST 8-53 Rev.5 are under development and other new mappings will also be added in the future.
The previous version of the CCM v3.0.1 is mapped to the following standards:
- ISO 27001/27002/27017/27018
- NIST SP 800-53
- AICPA TSC
- German BSI C5
- PCI DSS
- ISACA COBIT
- NERC CIP
- And many others...
How does it work?
The Cloud Controls Matrix is a spreadsheet that lists common frameworks and regulations organizations would need to comply with. Each control maps onto multiple industry-accepted security standards, regulations, and frameworks; which means that fulfilling the CCM controls also fulfills it for the accompanying standards and regulations it maps onto. It reduces the need to use multiple frameworks and simplifies cloud security by letting you see all of the common cloud standards in one place. For each control the user can see all of the different requirements it fulfills. For instance if you are compliant with a specific control, then that fulfills a requirement for three different regulations and frameworks.
Each control in the CCM indicates who should fulfill the control (the CSP or cloud customer) and it indicates which cloud model type (IaaS, PaaS, SaaS) or cloud environment (public, hybrid, private) the control applies to. The CCM clarifies the roles and responsibilities between a cloud service provider and cloud customer by delineating which control guidance is relevant to each party.
For Cloud Customers
Use the CCM to assess cloud vendors or in place of an RFP
The Consensus Assessments Initiative Questionnaire (CAIQ) is a companion to the CCM that provides a set of “yes or no” questions a cloud consumer or auditor may wish to ask a cloud provider. Based on the security controls in the CCM, the questions can be used to document which security controls exist in a provider’s IaaS, PaaS, and SaaS offerings. Organizations often use the CAIQ to get additional protection by building a request for proposal (RFP) with the information from CAIQ. Organizations can then verify the validity of a vendor’s answers during the RFP interview. Over 500 organizations currently use the CAIQ to submit self-assessments on the STAR registry.
For Cloud Solution Providers (CSPs)
Use the CCM to submit to CSA’s public registry.
The CCM is used as the standard to assess the security posture of organizations on the Security, Trust, Assurance and Risk (STAR) registry. The STAR program promotes flexible, incremental and multi-layered certifications that integrate with popular third-party assessments to avoid duplication of effort and cost. Security providers can fill out the extended question set that aligns with the CCM and send it to potential and current clients to demonstrate compliance to industry standards, frameworks and regulations. It is recommended that providers submit the completed CAIQ to the STAR Registry so it is publically available to all clients.
Security Domains Covered by the CCM
CSA is currently working on release the fourth iteration of the Cloud Controls Matrix. The CCM v.4 constitutes a significant upgrade to the previous version (v3.0.1) by introducing changes in structure of the framework with a new domain dedicated to Log and Monitoring (LOG), and modifications in te existing ones (GRC, A&A, UEM, CEK). This update will also deliver a significant increase of requirements as result of developing additional controls and updating existing ones.
Additional features of the CCM v.4 update are:
- Ensured coverage of requirements deriving from new cloud technologies
- New controls and security responsibility matrix
- Improved auditability of the controls, and enhanced interoperability and compatibility with other standards.
The domains covered in the new Cloud Controls Matrix (CCM) v4 are:
- Application & Interface Security
- Audit and Assurance
- Business Continuity Mgmt & Op Resilience
- Change Control & Configuration Management
- Data Security & Privacy Lifecycle Management
- Datacenter Security
- Cryptography, Encryption and Key Management
- Governance, Risk Management and Compliance
- Human Resources Security
- Identity & Access Management
- Security Infrastructure & Virtualization
- Interoperability & Portability
- Universal EndPoint Management
- Security Incident Management, E-Discovery & Cloud Forensics
- Supply Chain Management, Transparency & Accountability
- Threat & Vulnerability Management
- Logging and Monitoring
What if there is a regulation or industry framework not covered in the current version of CCM?
In the case where there is a region-specific regulation or new framework that organizations need to map to, CSA will release a CCM mapping. You can find a list of all available mappings to the Cloud Controls Matrix (CCM) here.
Most Recent CCM Mappings:
- Gap Analysis Report - Mapping of the Association of Banks in Singapore Cloud Computing Implementation Guide 2.0 to Cloud Security Alliance Cloud Controls Matrix v3.0.1
- Enterprise Architecture to CCM Shared Responsibility Model
- CSA CCM v3.0.1 Addendum - Cloud OS Security Specifications
- Mapping of 'The Guidelines' Security Recommendations to CCM
- CCM v3.0.1 Addendum - FedRAMP Moderate
- CSA CCM v3.0.1 Addendum - NIST 800-53 Rev 4 Moderate
- CSA CCM v3.0.1 Addendum - AICPA TSC 2017
Can I get certified against the CCM? How do I become CCM certified?
Organizations looking to get certified against the CCM can obtain an Attestation or Certification through the CSA STAR Registry.
Help CSA develop future versions of the CCM by joining the working group!
We are always looking for new experts to join the Cloud Controls Matrix Working Group to help make the CCM the most effective tool it can be for people actually using it in the industry. You can learn more and join the working group here.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.