CCM v4 FAQ - Transition Timeline
Published 02/04/2021
This blog was updated on 12/17/21 with the latest information regarding the release of CCM v4 components.
On January 21st CSA released version 4 of the Cloud Controls Matrix (CCM). The new version ensures coverage of requirements deriving from new cloud technologies, new controls and enhanced interoperability and compatibility with other standards.
In this blog we will discuss the transition timeline for when organizations using the CCM in other CSA programs will need to start using version 4. We will also share the release timeline for the other CCM v4 components and answer questions around how the new version will affect:
- Mappings with standards
- Security Trust and Assurance Registry (STAR)
- Consensus Assessment Initiative Questionnaire (CAIQ)
- Certificate of Cloud Security Knowledge (CCSK)
CCM v4 Components Release Timeline
Item | Status | Release Date |
Released | January 2021 | |
Released | February 2021 | |
Released | June 2021 | |
Released | June 2021 | |
Released | September 2021 | |
Released | December 2021 | |
CCM Lite and CCM-SaaS | Upcoming | 2022 |
When will the CCM v4 mappings to other leading standards be available for usage?
The first set of mappings with CCM V3.0.1., ISO/IEC 27001/02/17/18 was released in February 2021
The CCM v4 is currently mapped to the following: ISO/IEC 27001/27002/27017/27018, CCM V3.0.1 and CIS Controls V8 and AICPA TSC . Additional mappings for PCI-DSS and NIST 8-53 Rev.5 are under development and other new mappings will also be added in the future.
When will the implementation and auditing guidelines be released?
The CCM v4 Implementation Guidelines were released in September. The implementation guidelines are a new addition to the CCM, their goal is to explain how to use the CCM and to support the users in better understanding and implementing the CCM controls. The implementation of CCM controls in a specific technological environment (e.g. AWS, Azure, GCP, etc) are beyond the scope of the Implementation Guidelines and for that purpose we encourage the users to collaborate with their peers in the dedicated CCM User Group in Circle.
The CCM v4 Auditing Guidelines were released in December. Similarly to the Implementation Guidelines, the Auditing Guidelines are a new additional component to the CCM. They explain how to approach the auditing and assessment of CCM controls and provide support to the auditors and auditees alike on how to evaluate the correct adoption of CCM controls.
When will CCM Lite and CCM for SaaS be released?
The CCM Lite and CCM-SaaS will be released in Q1 2022. The CCM Lite is a lightweight version of CCM which contains the foundational controls that any CSP regardless of their delivery model approach, size, complexity of the operations should implement, no matter what.
The CCM for SaaS is meant to define CCM controls that are specifically relevant to SaaS providers. At this point it’s still unclear the direction that this project will take. We are consulting with other stakeholders to verify the need/demand for such a new artifact.
STAR Program Transition Timeline
Item | Release Date |
Started accepting both V4 as well as CCM V3.0.1 and CAIQ V3.1 for all STAR Levels. | August 2021 |
STAR Level 2 will only accept V4 for all new submissions | December 2021 |
STAR Level 1 will start accepting only V4 for all submissions. | July 2022 |
STAR Level 2 will require all submissions to be V4. | July 2022 |
CCM v3.0.1 and CAIQ 3.1 will be withdrawn. [1] | January 21, 2023 |
When will it be possible to use version 4 of the CAIQ and CCM for STAR Submissions? When will previous versions no longer be accepted?
Until December 2021 we'll accept both versions of the CAIQ and CCM. After December 2021, all the new submissions (i.e. those services that are joining the STAR Registry for the first time) shall be done using V4. The companies/services that were in the registry prior to December 2021, have a two year transition period to switch to the new version.
Will CCM v4 be used now for the STAR attestation or Certifications? Or is CCM v3.0.1 still accepted?
See the previous answer. While both versions are currently accepted, we strongly encourage organizations to adopt V4 as soon as possible.
Clarifications on STAR Attestations:
We are trying to be consistent with the AICPA's typical process in these cases. As an example, assume the AICPA issued new criteria related to SOC 2 as of Jan. 15, 2022. If a SOC engagement began prior to the issuance of new criteria, the evaluation could be made using the “old” criteria; if so, the report would state that. Even if the evaluation was performed over a period of time that overlapped the date on which the new criteria were issued, it may be more practical to use the “old” criteria; again, the report should state which was used. If the old criteria were used, the client must be updated at the next scheduled assessment and their attestation would be valid until that time. Similarly, as per our transition guidance, we would expect all new STAR Level 2 submissions as of December 1, 2021, to be done based on the CCM v4.
CCM 3.0.1 will continue to be allowed to be used through January 22, 2023, at which time these submissions will be considered superseded. During the transition period (from the publication date issued to January 22, 2023), practitioners’ reports using CCM should clearly distinguish whether the extant or the CCM v4 have been used.
Will CCM v4 impact the CCSK?
For the time being the CCSK curriculum and exam will remain as is, and CCM v4 won't affect it in any way. This means when taking the exam, if you have a question related to the CCM (for example: the number of domains), it will still refer to CCM v3.0.1.
[1] Withdrawn means it is no longer relevant. No further work will be done to maintain or update a withdrawn standard. Withdrawn standards are therefore still available in the CSA archives for reference only (though will be marked as withdrawn).
Related Articles:
Top Threat #6 - Code Confusion: The Quest for Secure Software Development
Published: 12/02/2024