CAIQ v4 Released - Changes from v3.1 to v4
Since the publication of CCM v4 in January 2021, CSA has initiated a process to upgrade CAIQ, the questionnaire associated with CCM. In this blog we will explain changes made to version 4 of the CAIQ, and what you can expect when using it to submit to the STAR registry.
CCM V4 represents a major improvement compared to previous versions of the standard, it includes:
- a new structure that better reflects the cloud security and privacy requirements of modern cloud services
- new additional controls
- an improved language that favors the implementation and evaluation of the controls.
It also adds new features such as the CCM Implementation Guidelines (expected to be published in July), the CCM Auditing Guidelines (expected to be published in September) and the CCM Metrics (expected to be published in September as well).
Of course, the introduction of CCM V4, couldn’t not be accompanied by the introduction of version 4 of the CAIQ, the questionnaire associated with the CCM controls. As many of you know, CAIQ is the basis for the STAR Self-Assessment (STAR Level 1) and of many cloud vendor evaluation programs.
What is changing in CAIQ v4?
CAIQ V4, similarly to CCM V4, will include new features that are expected to increase the value for its users, both cloud service providers (CSP) and customers (CSC).
The number of questions in the new version was reduced to 261.
The new version of CAIQ includes changes both in the number of questions 261 (compared to the 310 of the V3.1) and in the structure of the document used for the submissions for the STAR Level 1.
The structural changes are possibly the most important ones, since they offer the user the possibility to show additional accountability and transparency about their security and privacy practices.
New columns for the Shared Responsibility Model were added to help address one of the biggest risks in the cloud ecosystem.
The new CAIQ structure includes new columns related to the Security Shared Responsibility Model (SSRM). Thanks to this new feature the CSP will be able to better describe the allocation of the responsibility for the implementation of a CCM V4 control for the benefit of their current and potential customers.
The objective of this update was to address what is arguably one of the biggest sources of risks in the cloud ecosystem, which is the lack of understanding of the shared responsibility model. Such a communication and information gap between the various actors of the cloud supply chain, especially between providers and customers, is often the cause of serious, but easily avoidable, cloud security and privacy breaches, due to the fact that several security and privacy controls end up falling into a ‘no man’s (what-ever-gender-you-prefer’s) land’.
With this new addition to CAIQ, and consequently to the STAR Registry, CSA wants to help facilitate cloud customers with their vendor/3rd-party management process as well as in building a conscious cloud security, privacy and accountability program.
A closer look at the features of the Shared Responsibility Model column.
The SSRM feature of CAIQ is connected to the ‘Supply chain Management, Transparency and Accountability’ (STA) domain of the CCM, and in particular to the control STA-04, which requires the CSP to “Delineate the shared ownership and applicability of all CSA CCM controls according to the SSRM for the cloud service offering.”
The SSRM feature includes a mandatory multiple-choice column (described below) and voluntary additional columns where the CSP can further explain what it is doing to satisfy the requirements under its responsibility and what the CSC is expected to do in order to comply with its responsibilities.
When a CSP is addressing the CAIQ questions, it will be requested to specify if the control is:
- CSP-owned: which means that the cloud service provider is fully responsible and fully accountable for it.
- CSC-owned: which means that the cloud consumer is fully responsible and fully accountable.
- 3rd party-outsourced: which means that a 3rd party is fully responsible, while the CSP is still fully accountable. For instance, this would describe the situation of a SaaS provider answering a CAIQ question related to the Datacenter Security (DCS) domain, where the IaaS provider (3rd party) is responsible for the actual implementation of the control, while the SaaS provider still maintains the accountability vis a vis its contractual counterpart, i.e. the customer.
- Shared CSP and CSC: which means that the responsibility and accountability of the control are shared between the CSP and CSC. For instance, this would be the case for several controls in the Cryptography, Encryption and Key management (CEK) domain.
- Shared CSP and 3rd party: which means that the responsibility for the control is shared between CSP and a 3rd party, but the CSP still remains fully accountable.
When will CAIQ v4 be accepted in the STAR Registry?
CSA started accepting submissions to STAR Level 1 based on CAIQ V4 in August. If you want to submit CAIQ v4 to the STAR Registry you will need to download and fill out this version.
Users should note that CSA has created two separate versions of the CAIQ:
- CCM + CAIQ v4: This version of CAIQ v4 includes only the questionnaire, and is folded into the CCM file. This version cannot be used to submit to STAR.
- STAR Level 1: Security Questionnaire (CAIQ v4): This version should be used to submit to the STAR registry. It will include all the necessary features, including the SSRM.