Cloud Controls Matrix (CCM)

About the CSA Cloud Controls Matrix

The Cloud Security Alliance Cloud Controls Matrix (CCM) is specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. The CSA CCM provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains. The foundations of the Cloud Security Alliance Controls Matrix rest on its customized relationship to other industry-accepted security standards, regulations, and controls frameworks such as the ISO 27001/27002, ISACA COBIT, PCI, NIST, Jericho Forum and NERC CIP and will augment or provide internal control direction for service organization control reports attestations provided by cloud providers. As a framework, the CSA CCM provides organizations with the needed structure, detail and clarity relating to information security tailored to the cloud industry. The CSA CCM strengthens existing information security control environments by emphasizing business information security control requirements, reduces and identifies consistent security threats and vulnerabilities in the cloud, provides standardized security and operational risk management, and seeks to normalize security expectations, cloud taxonomy and terminology, and security measures implemented in the cloud.

The Cloud Controls Matrix is part of the CSA GRC Stack.

Cloud Controls Matrix Leadership

Co-Chairs:
Sean Cordero, Cloud Watchmen
Evelyn DeSouza, Cisco

Download the Cloud Controls Matrix Version 3.0.1

What's New in CCM v3.0.1

• New or updated mappings to the following
  • AICPA 2014 Trust Services Criteria
  • Canada PIPEDA (Personal Information Protection Electronic Documents Act)
  • COBIT 5.0
  • COPPA (Children's Online Privacy Protection Act)
  • CSA Enterprise Architecture
  • ENISA (European Network Information and Security Agency) Information Assurance Framework
  • European Union Data Protection Directive 95/36/EC
  • FERPA (Family Education and Rights Privacy Act)
  • HIPAA/HITECH act and the Omnibus Rule
  • ISO/IEC 27001:2013
  • ITAR (International Traffic in Arms Regulation)
  • Mexico - Federal Law on Protection of Personal Data Held by Private Parties
  • NIST SP800-53 Rev 3 Appendix J
  • NZISM (New Zealand Information Security Manual)
  • ODCA (Open Data Center Alliance) Usage Model PAAS Interoperability Rev. 2.0
  • PCI DSS v3
• Consolidation of redundant controls
• Rewritten controls for clarity of intent, STAR enablement, and SDO alignment

Cloud Controls Matrix v3.0.1 Contributors

"We value your volunteer contributions and believe that the devotion of volunteers like you will continue to lead CSA into the future"

- J.R. Santos, CSA Global Research Director

Working Group (WG) Co-Chair(s)

• Sean Cordero
• Evelyn DeSouza

CSA Global Support

• Daniele Catteddu
• Alexander Ginsburg
• Frank Guanco
• John Howie
• JR Santos
• Evan Scoboria
• Kendall Scoboria
• John Yeoh

Contributors

• Assaf Afek-Levy
• Rizwan Ahmad
• Kelvin J Arcelay
• Richard Austin
• Anant Bardhan
• Jason Blake
• Bernard Bossuyt
• Bob Brammer
• Aaron Brown
• Vincent Campitelli
• Michael Carr
• Beth Chancellor
• Anand Choksi
• Sidharth Chugh
• Anton Chuvakin
• John DiMaria
• Jane Drews
• Sudarshana Rao Duttaluri
• Carlo Espiritu
• Masaaki Futagi
• Aurel Grigore
• Tanya Hale
• Ron Hale
• Oren Hamami
• JD Hascup
• Peter HJ van Eijk
• Giles Hogben
• Paul Howell
• Muhammad Imran Tariq
• Bernd Jaeger
• Bobby Jen
• Vladimir Jirasek
• David Johnson
• Maura Johnston
• Torie Jones
• Audrey Katcher
• Karen Keehan
• Thomas Kenyon
• Kathleen Kimball
• Valdez Ladd
• Tamba Lamin
• Manny Landron
• Antoine Laureau
• Ted LeSeur
• Marquess Lewis
• Kevin Linderman
• David Lingenfelter
• Dan Logan
• Gloria Marcoccio
• Steve Markey
• Ashley Matteson
• Felix Mohan
• Gene Naftulyev
• Geoff Nathan
• Tony Noblett
• John Noone
• Michele Norin
• Heather Ouelette
• Mano Paul
• Martha Pelkey
• Martha Pelkey
• Eric Pinkerton
• Ray Pompon
• Steve Primost
• Linda Pruss
• Chinmoy Rajpal
• Sai Ramanan
• David Rooker
• David Roque
• Keyun Ruan
• Tim Sandage
• Aaron Sanders
• Lain Scott
• Richard Scott
• Theresa Semmens
• Roshan Neville Sequeria
• Paritosh Sharma
• Andrea Simmons
• Vinoth Sivasubramanian
• Joel Sloss
• Gerry Sneeringer
• Mitesh Soni
• Joe St. Sauver
• Joe Stevens
• Becky Swain
• Eva Sweet
• Jakub Syta
• Todd Thiemann
• Marco Tietz
• Stan Waddell
• Sam Wilke
• Aaron Wilson
• Sam Wilson
• Haidong Xia

Download the Cloud Controls Matrix Version 3

About CCM v3

The CSA Cloud Control Matrix (CCM) Version 3.0, is a comprehensive update to the industry’s gold standard for assessing cloud centric information security risks. The CCM Version 3.0 expands its control domains to address changes in cloud security risks since the release of the CSA’s seminal guidance domain, “Security Guidance for Critical Areas of Focus in Cloud Computing version 3.0” while making strides towards closer harmonization of the two.

Having drawn from industry-accepted security standards, regulations, and control frameworks such as ISO 27001/2, the European Union Agency for Network and Information Security (ENISA) Information Assurance Framework, ISACA’s Control Objectives for Information and Related Technology, the American Institute of CPAs Trust Service and Principals Payment Card Industry Data Security Standard, and the Federal Risk and Authorization Management Program, the updated CSA CCM control domain provides organizations with the cohesiveness of controls needed to manage cloud centric information security risks. This major restructuring of the CCM also captures the needs of cloud security governance in the near future, where it will serve as an annual check in updating future controls, further ensuring CCM remains in line with future technology and policy changes.

CCM Version 3.0 includes the following updates:

• Five new control domains that address information security risks over the access of, transfer to, and securing of cloud data: Mobile Security; Supply Chain Management, Transparency & Accountability; Interoperability & Portability; and Encryption & Key Management
• Improved harmonization with the Security Guidance for Critical Areas of Cloud Computing v3
• Improved control auditability throughout the control domains and an expanded control identification naming convention

Cloud Controls Matrix v3 Contributors

Working Group (WG) Co-Chair(s)

• Sean Cordero
• Evelyn DeSouza

CSA Global Support

• Daniele Catteddu
• Alexander Ginsburg
• Frank Guanco
• JR Santos
• Evan Scoboria
• Kendall Scoboria
• Becky Swain
• John Yeoh

Contributors

• Assaf Afek-Levy
• Kelvin J Arcelay
• Anant Bardhan
• Bernard Bossuyt
• Anand Choksi
• John DiMaria
• Carlo Espiritu
• JD Hascup
• Peter HJ van Eijk
• Giles Hogben
• Muhammad Imran Tariq
• Bernd Jaeger
• Vladimir Jirasek
• David Johnson
• Thomas Kenyon
• Valdez Ladd
• Tamba Lamin
• Anoine Laureau
• Felix Mohan
• Gene Naftulyev
• Tony Noblett
• Heather Ouelette
• Steve Primost
• Richard Scott
• Paritosh Sharma
• Andrea Simmons
• Vinoth Sivasubramanian
• Mitesh Soni
• Jakub Syta
• Sam Wilke

Download the Cloud Controls Matrix Version 1.4

About CCM v1.4

Version 1.4 of the Cloud Controls Matrix includes two new mapping columns relating to AICPA's SOC 2 engagement. The SOC 2 report provides cloud service organizations and cloud users more flexibility related to compliance and operational reporting controls. It addresses risk of IT-enabled systems and privacy programs beyond the controls necessary for financial reporting.

Cloud Controls Matrix V1.4 Contributors

Working Group (WG) Co-Chair(s)

• Evelyn de Souza
• Sean Cordero
• Thomas Kenyon

CSA Research Global Support

• J.R. Santos
• John Yeoh

Control Area Mapping Leads

• Audrey Katcher
• Chris Halterman
• Janis Parthun
• Erin Mackler

About AICPA

The AICPA is the world’s largest member association representing the accounting profession, with nearly 386,000 members in 128 countries and a 125-year heritage of serving the public interest. AICPA members represent many areas of practice, including business and industry, public practice, government, education and consulting. The AICPA sets ethical standards for the profession and U.S. auditing standards for audits of private companies, nonprofit organizations, federal, state and local governments. It develops and grades the Uniform CPA Examination and offers specialty credentials for CPAs who concentrate on personal financial planning; fraud and forensics; business valuation; and information technology. Through a joint venture with the Chartered Institute of Management Accountants, it has established the Chartered Global Management Accountant designation to elevate management accounting globally.

Download the Cloud Controls Matrix Version 1.3

Cloud Controls Matrix V1.3 Contributors

Working Group (WG) Co-Chair(s)

• Becky Swain
• Evelyn de Souza
• Sean Cordero
• Thomas Kenyon

CSA Research Global Support

• J.R. Santos
• John Yeoh

Control Area Mapping Leads

• Balaji Ramamoorthy
• Chris Davis
• Daniel Philpott
• David Lingenfelter
• Doug Barbin
• Evelyn de Souza
• Matthew Metheny
• The Late Ron Knode
• Tim Mather

About FedRAMP

The Federal Risk and Authorization Management Program (FedRAMP) is a US government-wide mandated program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This approach uses a “do once, use many times” framework that is intended to save cost, time, and staff required to conduct redundant agency security assessments. There are no “new” controls for FedRAMP. The FedRAMP security controls are based on NIST SP 800-53 R3 controls for low and moderate impact systems and contain controls and enhancements above the NIST baseline for low and moderate impact systems that address the unique elements of cloud computing. For additional information, refer to the FedRAMP FAQ website located at: http://www.gsa.gov/portal/category/102439.

Authoritative Source:
http://www.gsa.gov/graphics/staffoffices/FedRAMP_Security_Controls_072912.zip

Download the Cloud Controls Matrix Version 1.2

Cloud Controls Matrix V1.2 Contributors

CSA CCM Leadership Team

• Becky Swain, CIPP/IT, CISSP, CISA – CCM Co-Founder/Chair, CSA Silicon Valley Chapter Board Member, Partner, EKKO Consulting
• Philip Agcaoili – CCM Co-Founder/Chair, CSA Atlanta Chapter Co-Founder/Board Member
• Kip Boyle, CISM, CISSP – CCM Project Manager
• Jim Reavis – CSA Executive Director

Contact the CCM Leadership Team:
Email

Data Governance (DG)

• Vijaya Kumar Teki (Lead)
• Abhik Chaudhuri

Resiliency (RS)

• Tim J Sandage (Lead)
• Balaji Palanisamy
• Keith Prabhu

Jericho Forum

• Brad Bemis (Lead)
• Abhik Chaudhuri
• Kanchanna Ramasamy Balraj
• MS Prasad
• Tajeshwar Singh
• Phil Agcaoili

Compliance (CO)

• JD Hascup (Lead)
• Abhik Chaudhuri
• Angela Polania
• Kanchanna Ramasamy Balraj
• Vijaya Kumar Teki
• Visvesvara Ravikanth Anisingaraju

Information Security (IS)

• Visvesvara Ravikanth Anisingaraju (Lead)
• Ted Skinner
• Kent Zhou
• Steve Dotson
• Laura Kuiper
• Adam Politsch
• Nadeem Bukhari

Quality Assurance (QA)

• John DiMaria (Lead)
• Kelvin Arcelay
• Gary Sheehan
• Lisa Peterson
• John Sapp
• Henry Ojo
• Renne’ Devasia
• Taiye Lambo

Facility Security (FS)

• Visvesvara Ravikanth Anisingaraju (Lead)
• Keith Prabhu

Human Resources (HR)

• Vijaya Kumar Teki (Lead)

Legal (LG)

• Eric Hibbard (Lead)
• Kenton Morneau
• Rizwan Ahmad
• Steve Dotson

Operations Management (OM)

• Vijaya Kumar Teki (Lead)
• Visvesvara Ravikanth Anisingaraju
• Ted Skinner

Risk Management (RI)

• Dan Cimpean (Lead)
• Cedric Lempereur
• Abhik Chaudhuri
• Angela Polania
• Kenton Morneau
• Eduardo Haruo Kamioka
• Devesh Bhatt
• Eric Phifer
• JD Hascup

Release Management (RM)

• Visvesvara Ravikanth Anisingaraju (Lead)

Security Architecture (SA)

• Jeff Lockwood (Lead)
• Balaji Palanisamy
• Deep Mallangadakalaiah
• Kanchanna Ramasamy Balraj
• Kenton Morneau
• Laura Kuiper
• Visvesvara Ravikanth Anisingaraju
• Stefano Ciminelli
• Steve Dotson
• Ted Skinner
• Usha Rajsekar
• Vijaya Kumar Teki

NERC CIP

• Cary Stronach (Co-Lead)
• Donald Schleede (Co-Lead)
• Michael Craigue, Ph.D.
• Balaji Palanisamy
• Nikita Reva

Download the Cloud Controls Matrix Version 1.1

Cloud Controls Matrix V1.1 Contributors

CSA CCM Leadership Team

• Becky Swain, CIPP/IT, CISSP, CISA – CCM Co-Founder/Chair, CSA Silicon Valley Chapter Board Member, Partner, EKKO Consulting
• Marlin Pohlman – CCM Co-Chair
• Philip Agcaoili – CCM Co-Founder/Chair, CSA Atlanta Chapter Co-Founder/Board Member
• Kip Boyle, CISM, CISSP – CCM Project Manager
• Jim Reavis – CSA Executive Director

Contact the CCM Leadership Team:
Email

CSA CCM R1.1 – S/P/I Ownership

• Guy Bejerano – LivePerson CSO (Lead)
• Philip Richardson, CISSP, A.Inst.ISP, MBCS – Logicalis UK Ltd
• Paul Stephen – Ernst and Young LLP

CSA CCM R1.1 – COBIT 4.1

• Georges Ataya Solvay – Brussels School of Economics and Management
• April Battle – MITRE
• Akira Shibata – NTT DATA Corp
• Elizabeth Ann Wickham – L47 Consulting Limited
• Marcelo Gonzalez – Banco Central Republica Argentina
• Mark Lobel – PricewaterhouseCoopers LLP
• Meenu Gupta – Mittal Technologies
• Ramesan Ramani – Paramount Computer Systems
• Yves Le Roux – CA Technologies

CSA CCM R1.1 – HIPAA / HITECH Act

• Joshua Schmidt, CISA, CISM – Vertafore, Inc. (Lead)
• Patty Williams – Symetra Financial

CSA CCM R1.1 – ISO/IEC 27001:2005

• MS Prasad, Exec Dir CSA India (Lead)
• Joel Cort, CISSP, ISO 27001 Lead Auditor – Xerox Corporation
• Laura Kuiper – Cisco Systems, Inc.
• Kyle Lai, CISSP, CSSP, CISA, CIPP/G – KLC Consulting, Inc.
• Thomas Loczewski, CISSP, CRISC, CCSK – Ernst and Young GmbH, Germany
• Pritam Bankar, CISA, CISM – Infosys Technologies Ltd.

CSA CCM R1.1 – NIST SP800-53 + FedRAMP

• Daniel Philpott – Tantus Technologies, FISMApedia.org (Lead)
• Pritam Bankar, CISA, CISM – Infosys Technologies Ltd.
• Kyle Lai, CISSP, CSSP, CISA, CIPP/G – KLC Consulting, Inc.
• MS Prasad, Exec Dir CSA India
• Steve Primost, CISSP, CISM
• Philip Richardson, CISSP, A.Inst.ISP, MBCS – Logicalis UK Ltd
• Vincent Samuel, Archer Certified Consultant, Certified Application Security Specialist, Oracle Certified Associate – KPMG LLP
• Paul Stephen – Ernst and Young LLP
• Adalberto Afonso A Navarro F do Valle – Deloitte LLP

CSA CCM R1.1 – PCI DSS v2.0

• Pritam Bankar, CISA, CISM – Infosys Technologies Ltd. (Lead)
• Karthik Amrutesh, CISSP, CISA – Ernst and Young LLP
• Chris Brenton – Dell
• Dr. Anton Chuvakin – Security Warrior Consulting
• Michael Craigue, Ph.D. (CISSP, CSSLP) – Dell
• Jakob Holm Hansen, CISA, CISSP, ABCP – Neupart A/S
• Addison Lawrence – Dell
• Steve Primost, CISSP, CISM
• Philip Richardson, CISSP, A.Inst.ISP, MBCS – Logicalis UK Ltd.
• Paul Stephen – Ernst and Young LLP

CSA CCM R1.1 – BITS Shared Assessment AUP v5.0 / SIG v6.0

• Niall Browne, CCSP, CISA, CISSP, CCSI – LiveOps
• Henry Ojo – Kamhen Services Ltd, HISPI

CSA CCM R1.1 – GAPP

• Thej Mehta, CISA, ITIL v3 Foundation, ISACA San Francisco Chapter: 2nd Vice President and Education Program Chair, KPMG LLP (Lead)
• Pritam Bankar, CISA, CISM – Infosys Technologies Ltd.
• Thomas Loczewski – Ernst and Young LLP
• Lloyd Wilkerson – Robert Half International
• Anna Tang, CISSP, CIPP, CIPP/IT, Cisco Systems, Inc.

CSA CCM R1.1 – QA Team

• John DiMaria – HISPI (Lead)
• Taiye Lambo – eFortresses, Inc , HISPI
• Kelvin Arcelay, CISM, CISSP, CRISC, HISP, ISMS Auditor, PMP, SSGB – Arcelay & Associates, HISPI
• Henry Ojo – Kamhen Services Ltd, HISPI
• Lisa Peterson, CISA, CISSP – Progressive Insurance, HISPI
• Dale Pound – SAIC, HISPI
• John Sapp – McKesson Healthcare, HISPI
• Gary Sheehan – Advanced Server Management Group, Inc., HISPI
• Greg Zimmerman – Jefferson Wells, HISPI

Download the Cloud Controls Matrix Version 1.0

Cloud Controls Matrix V1.0 Contributors

CSA CCM Leadership Team

• Becky Swain, CIPP/IT, CISSP, CISA – CCM Co-Founder/Chair, CSA Silicon Valley Chapter Board Member, Partner, EKKO Consulting
• Marlin Pohlman – CCM Co-Chair
• Philip Agcaoili – CCM Co-Founder/Chair, CSA Atlanta Chapter Co-Founder/Board Member
• Kip Boyle, CISM, CISSP – CCM Project Manager
• Jim Reavis – CSA Executive Director

Contact the CCM Leadership Team:
Email

CSA CCM R1.0 Contributors

• Philip Agcaoili (co-chair)
• Becky Swain (co-chair)
• Marlin Pohlman (co-chair)
• Mike Craigue
• Phil Genever-Watling
• Addison Lawrence
• Chandrasekar Umpathy
• Andy Dancer
• Anton Chuvakin
• Georg Heß
• Glen Jones
• Larry Harvey
• M S Prasad
• Patrick Sullivan
• Steve Primost
• Tajeshwar Singh
• Thomas Loczewski
• Dan Philpott

Cloud Controls Matrix News

January 14, 2015

EY helps Ribose Make History with First Cloud Security Alliance (CSA) STAR Attestation

EY helps Ribose Make History with First Cloud Security Alliance (CSA) STAR Attestation

July 11, 2014

CCM & CAIQ v3.0.1 Version Update Soft Launch

We are very excited to announce the soft launch of the CCM and CAIQ ​v.3.0.1. We invite you to download both documents during this early review period

July 05, 2014

Upcoming Webinar: Triaging the Cloud – 5 Steps to Putting the Cloud Controls Matrix to Work to Safely Enable Cloud Services in Your Enterprise

Join Cloud Security Alliance Chief Operating Officer, John Howie, Pandora Director of Information Security, Doug Meier, and Netskope Chief Scientist, Krishna Narayanaswamy, for a practical discussion and set of next steps to making the CCM work for you and triaging the apps you discover.

April 09, 2014

CSA Seeks Input on Open Peer Review: CCM v3.0.1

Cloud Security Alliance announces an open peer review period for the Cloud Controls Matrix (CCM) v3.0.1, now through May 8, 2014.

February 12, 2014

Invitation to CSA CloudBytes: CSA STAR Certification

Don’t miss your chance to join experts and learn more about the CSA STAR Certification on Thursday, February 20th at 11:00am (Pacific Time).

November 22, 2013

Cloud Security Alliance Announces Bonus Workshop Series At 2013 US Congress

The five workshops will provide participants with the opportunity to explore key topics in cloud security in an intensive daylong session led by some of the world’s most prominent cloud security practitioners.

October 07, 2013

CSA Releases CCM v3.0 Info Sheet for Updates on New Controls, Domains

The CCM v3.0 Info Sheet is designed to update users on domain changes, control additions, and alignment to other CSA and industry standards documents.

September 26, 2013

Cloud Security Alliance Releases Cloud Controls Matrix, Version 3.0

The industry standard for cloud security now includes expanded controls to assess cloud service provider information security risks.

February 25, 2013

CSA Seeks Input For Open Peer Review: CCM v3.0

The Cloud Security Alliance has released a draft of the latest version of the Cloud Control Matrix, CCM v3.0 for public peer review.

February 12, 2013

CSA Announces Working Group Sessions at RSA in San Francisco

CSA is hosting sessions during the week for some of our active working groups. These are free events that will be held outside of the regular conference on Thursday, February 28th.

Downloads relating to the Cloud Controls Matrix

AOSSL and CCM Technote

Release Date: December 18, 2014

Download

Cloud Controls Matrix v3.0.1 Info Sheet

Release Date: July 29, 2014

Download

Cloud Controls Matrix v3.0.1

New and updated mappings, consolidation of redundant controls, rewritten controls for clarity of intent, STAR enablement, and SDO alignment.

Release Date: July 11, 2014

Download

CCM v3.0 Info Sheet

Release Date: October 07, 2013

Download

Cloud Controls Matrix v3.0

Cloud Controls Matrix (CCM) Version 3.0, is a comprehensive update to the industry’s gold standard for assessing cloud centric information security risks.

Release Date: September 26, 2013

Download

Cloud Controls Matrix v1.4

Release Date: March 08, 2013

Download

Cloud Controls Matrix v1.3

Release Date: September 20, 2012

Download

Cloud Controls Matrix v1.2

Release Date: August 26, 2011

Download

Cloud Controls Matrix V1.1

Release Date: December 17, 2010

Download

Cloud Controls Matrix V1.01

Release Date: October 20, 2010

Download

Cloud Controls Matrix V1.0

Release Date: April 27, 2010

Download