The Cloud Security Alliance and the CCM Working Group have developed CCM Lite, a streamlined version of the Cloud Controls Matrix (CCM) v4. It consists of 91 controls, a subset of the 197 of the CCM, and it includes foundational controls that should be implemented by any organization, regardless of their budget, maturity and risk profile.
CCM Lite was primarily developed to address the needs of Small and Medium-sized Businesses (SMBs), with limited resources providing them with a streamlined solution for cloud security.
The CCM Lite includes:
- 91 controls
- Mappings
- CAIQ Lite
- Implementation Guidelines
- Auditing Guidelines
- Machine Readable (JSON/ YAML/OSCAL)
*CCM Lite submissions are accepted into the STAR Registry.
Who should use the CCM Lite?
The CCM Lite is designed as a cost-effective solution for low-risk profile cloud organizations, particularly Small and Medium Enterprises (SMEs) and Startups with limited IT and cybersecurity resources. It offers streamlined controls that prioritize essential cloud security measures, enabling SMEs to establish basic security hygiene and protect their infrastructure from common cloud security attacks.
While not a replacement for the CCMv4, the CCM Lite is a valuable resource for SMEs looking to improve their security posture within their resource constraints.
Which security domains are covered by the CCM Lite?
Want to learn about best practices for each of these domains?
Read the CSA Security Guidance first.
CAIQ Lite
The CAIQ Lite is a simplified version of the Consensus Assessments Initiative Questionnaire (CAIQ), developed through extensive research, testing and a review process. CAIQ Lite streamlines the assessment process, empowering cybersecurity professionals to engage cloud vendors more efficiently.
It features 124 questions across 17 control domains of the CCM v4.
STAR and CCM Lite
STAR encompasses the key principles of transparency, rigorous auditing, and harmonization of standards outlined in the Cloud Controls Matrix (CCM) . Publishing to the registry allows organizations to show current and potential customers their security and compliance posture.
As of October 9, 2024, CCM Lite submissions are accepted into the STAR Registry.Join the Working Group
Interested in contributing to future versions of the Cloud Controls Matrix or CAIQ? You can volunteer for the working group to stay up to date on the latest projects related to the CCM and participate in future initiatives.