CCM v4 FAQ - Transition Timeline
Blog Article Published: 02/04/2021
On January 21st CSA released version 4 of the Cloud Controls Matrix (CCM). The new version ensures coverage of requirements deriving from new cloud technologies, new controls and enhanced interoperability and compatibility with other standards.
In this blog we will discuss the transition timeline for when organizations using the CCM in other CSA programs will need to start using version 4. We will also share the release timeline for the other CCM v4 components and answer questions around how the new version will affect:
- Mappings with standards
- Security Trust and Assurance Registry (STAR)
- Consensus Assessment Initiative Questionnaire (CAIQ)
- Certificate of Cloud Security Knowledge (CCSK)
CCM v4 Components Release Timeline
When will the CCM v4 mappings to other leading standards be available for usage?
The first set of mappings with CCM V3.0.1., ISO27001/17/18 and AICPA TSP will be released in February 2021.
Other mappings will be released later within the timeframe from September to December. CSA will be working to create additional mapping to relevant standards, best practices, laws and regulations (e.g., NIST 800-53 Rev 5, ENISA Security Controls for Cloud Services, CIS Controls, PCI-DSS).
When will the other columns indicating the relevance of each control for the architectural type and cloud service delivery model be released?
The control applicability matrix columns which help define the attribution of responsibilities between cloud service providers and customers will be released in early Q2 2021.
The organizational relevance columns, which help define the organizational relevance of each control based on work done by the CSA Enterprise Architecture working group is expected to be released in early Q2 2021.
When will CAIQ v4 be released?
The fourth version of Consensus Assessment Initiative Questionnaire (CAIQ) will be released April 2021. This questionnaire accompanies the CCM and provides questions that vendors can answer to ascertain if they comply with the CCM.
When will the implementation and auditing guidelines be released?
The CCM v4 Implementation guidelines will be released in April. The implementation guidelines are a new addition to the CCM, their goal is to explain how to use the CCM and to support the users in better understanding and implementing the CCM controls. The implementation of CCM controls in a specific technological environment (e.g. AWS, Azure, GCP, etc) are beyond the scope of the Implementation Guidelines and for that purpose we encourage the users to collaborate with their peers in the dedicated CCM User Group in Circle.
In June/July the Auditing Guidelines will be released. Similarly to the Implementation Guidelines, the Auditing Guidelines are a new additional component to the CCM. They will explain how to approach the auditing and assessment of CCM controls and provide support to the auditors and auditees alike on how to evaluate the correct adoption of CCM controls.
When will CCM Lite be released?
In Fall (September-December) the CCM Lite will be released. The CCM Lite is a lightweight version of CCM which contains the foundational controls that any CSP regardless of their delivery model approach, size, complexity of the operations should implement, no matter what.
STAR Program Transition Timeline
- May 2021: CSA will start accepting both V4 and V3.0.1 for all STAR Levels.
- October 2021: STAR Level 2 will only accept V4 for all new submissions
- May 2022: STAR Level 1 will start accepting only V4 for all submissions.
- June 2023: STAR Level 2 will require all submissions to be V4.
When will it be possible to use version 4 of the CAIQ and CCM for STAR Submissions? When will v3.0.1 no longer be accepted?
Until January 2022 we'll accept both V3.0.1 and V4. After January 2022, all the new submissions (i.e. those services that are joining the STAR Registry for the first time) shall be done using V4. The companies/services that were in the registry prior to January 2022, have a two year transition period (until January 2023) to switch to the new version.
Will CCM v4 be used now for the STAR attestation or Certifications? Or is CCM v3.0.1 still accepted?
See the previous answer, while both versions are currently accepted, we strongly encourage organizations to adopt V4 as soon as possible.
Will CCM v4 impact the CCSK?
For the time being the CCSK curriculum and exam will remain as is, and CCM v4 won't affect it in any way. This means when taking the exam, if you have a question related to the CCM (for example: the number of domains), it will still refer to CCM v3.0.1.