CCM v4 FAQ - Transition Timeline
This blog was updated on 8/16/21 with the latest information regarding the release timeline for CCM v4 components and transition timeline for the STAR Registry.
On January 21st CSA released version 4 of the Cloud Controls Matrix (CCM). The new version ensures coverage of requirements deriving from new cloud technologies, new controls and enhanced interoperability and compatibility with other standards.
In this blog we will discuss the transition timeline for when organizations using the CCM in other CSA programs will need to start using version 4. We will also share the release timeline for the other CCM v4 components and answer questions around how the new version will affect:
- Mappings with standards
- Security Trust and Assurance Registry (STAR)
- Consensus Assessment Initiative Questionnaire (CAIQ)
- Certificate of Cloud Security Knowledge (CCSK)
CCM v4 Components Release Timeline
When will the CCM v4 mappings to other leading standards be available for usage?
The first set of mappings with CCM V3.0.1., ISO/IEC 27001/02/17/18 was released in February 2021
Other mappings will be released later within the timeframe from June to September. CSA will be working to create additional mapping to relevant standards, best practices, laws and regulations (e.g., NIST 800-53 Rev 5, ENISA Security Controls for Cloud Services, CIS Controls, PCI-DSS, AICPA TSP).
When will CAIQ v4 be released?
The fourth version of Consensus Assessment Initiative Questionnaire (CAIQ) was released June 2021. This questionnaire accompanies the CCM and provides questions that vendors can answer to ascertain if they comply with the CCM. Version 4 has been combined with the CCM v4, and both files are available to download together here. If you want to submit CAIQ v4 to the registry you will need to download this version instead.
When will the implementation and auditing guidelines be released?
The CCM v4 Implementation guidelines will be released in September. The implementation guidelines are a new addition to the CCM, their goal is to explain how to use the CCM and to support the users in better understanding and implementing the CCM controls. The implementation of CCM controls in a specific technological environment (e.g. AWS, Azure, GCP, etc) are beyond the scope of the Implementation Guidelines and for that purpose we encourage the users to collaborate with their peers in the dedicated CCM User Group in Circle.
In September the Auditing Guidelines will be released. Similarly to the Implementation Guidelines, the Auditing Guidelines are a new additional component to the CCM. They will explain how to approach the auditing and assessment of CCM controls and provide support to the auditors and auditees alike on how to evaluate the correct adoption of CCM controls.
When will CCM Lite and CCM for SaaS be released?
In Q1 2022, the CCM Lite and CCM-SaaS will be released. The CCM Lite is a lightweight version of CCM which contains the foundational controls that any CSP regardless of their delivery model approach, size, complexity of the operations should implement, no matter what.
The CCM for SaaS is meant to define CCM controls that are specifically relevant to SaaS providers. At this point it’s still unclear the direction that this project will take. We are consulting with other stakeholders to verify the need/demand for such a new artifact.
STAR Program Transition Timeline
- August 2021: CSA started accepting both V4 as well as CCM V3.0.1 and CAIQ V3.1 for all STAR Levels.
- December 2021: STAR Level 2 will only accept V4 for all new submissions
- July 2022: STAR Level 1 will start accepting only V4 for all submissions.
- July 2022: STAR Level 2 will require all submissions to be V4.
When will it be possible to use version 4 of the CAIQ and CCM for STAR Submissions? When will previous versions no longer be accepted?
Until December 2021 we'll accept both versions of the CAIQ and CCM. After December 2021, all the new submissions (i.e. those services that are joining the STAR Registry for the first time) shall be done using V4. The companies/services that were in the registry prior to December 2021, have a two year transition period to switch to the new version.
Will CCM v4 be used now for the STAR attestation or Certifications? Or is CCM v3.0.1 still accepted?
See the previous answer, while both versions are currently accepted, we strongly encourage organizations to adopt V4 as soon as possible.
Will CCM v4 impact the CCSK?
For the time being the CCSK curriculum and exam will remain as is, and CCM v4 won't affect it in any way. This means when taking the exam, if you have a question related to the CCM (for example: the number of domains), it will still refer to CCM v3.0.1.