Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
CSA Startup Showcase
Member Portal
STAR Program
STAR Home
STAR Registry
STAR for AI
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
AI Controls Matrix (AICM)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Education
Online Education Platforms
CSA Training
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Trusted AI Safety Expert (TAISE)
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Controls
AI Safety
Enterprise Architecture
Blockchain
Zero Trust
Top Threats
Strategic Initiatives
Explore CSA's Strategic Initiatives
AI Safety Initiative
Compliance Automation Revolution
Zero Trust Advancement Center
CxO Trust
FinCloud Security
Trusted Cloud Consultant
Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
CSA Startup Showcase
Member Portal
STAR Program
STAR Home
STAR Registry
STAR for AI
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
AI Controls Matrix (AICM)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Education
Online Education Platforms
CSA Training
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Trusted AI Safety Expert (TAISE)
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Controls
AI Safety
Enterprise Architecture
Blockchain
Zero Trust
Top Threats
Strategic Initiatives
Explore CSA's Strategic Initiatives
AI Safety Initiative
Compliance Automation Revolution
Zero Trust Advancement Center
CxO Trust
FinCloud Security
Trusted Cloud Consultant
ChaptersEventsBlog
AI, evolving regulations, and rapid digital change are reshaping cybersecurity. Join leaders driving real impact and register to attend the CSA Summit at RSAC →

Working Group

Security Controls Catalog

Expanding CSA's CCM, developing implementation guidelines, and maintaining a repository of controls as code.
Research Topics
About Topic
Working Group
Publications
Home
Research
Working Groups
Security Controls Catalog
The Security Controls Catalog WG operates as a foundational component of the Compliance Automation Revolution (CAR) Initiative, which provides the foundation for compliance by design, security and compliance automation, and continuous assurance through a unified control architecture that enables governance-as-code, risk quantification, real-time monitoring and reporting, and regulatory harmonization across cloud and emerging technologies.

In alignment with CAR’s vision of providing a shared, extensible, and technology-neutral control architecture, the Security Controls Catalog WG is tasked with maintaining a canonical Security Controls Catalog that enables consistent mapping, automation, and implementation across diverse cloud environments and regulatory landscapes. This includes stewardship of machine-readable controls, metadata governance, and integration across CSA and external initiatives.

Key responsibilities:
  • Define and maintain a canonical set of cloud- and technology-agnostic controls and control metadata aligned with industry standards, regulations, and CSA-specific frameworks (CCM, AICM, IoT, etc.)
  • Ensure interoperability and mapping across global regulatory frameworks, industry standards, and risk management approaches through a common controls schema and ontology
  • Support the development, curation, and publication of machine-consumable control representations (e.g., JSON, YAML, and OSCAL API-accessible formats) for integration into third-party tools and platforms
  • Provide governance for the lifecycle management of control content, including version control, audit trail, change management, and deprecation
  • Develop implementation and auditing guidance that supports adoption and tailoring of controls across different cloud service models, sectors, and compliance use cases
  • Collaborate with other CSA working groups, including CCM, STAR, AI safety and assurance, and regulatory mapping to ensure cross-domain alignment and reduce redundancy across controls
  • Serve as an expert advisory and review body for control framework updates, proposed mappings, and external contributions
  • Drive ongoing analysis and integration of global regulatory and policy changes into the catalog to ensure relevance and applicability
  • Promote awareness, adoption, and contributions to the Security Controls Catalog through public engagement, webinars, community calls, and working sessions
  • Establish sub-groups or focused task forces to address specialized topics such as controls rationalization, sector-specific requirements, real-time monitoring and reporting, automation, and machine-readability

Working Group Leadership

Andy Ruth
Andy Ruth

Andy Ruth

Content Developer, CSA

Daniele Catteddu
Daniele Catteddu

Daniele Catteddu

Chief Technology Officer, CSA

Daniele Catteddu is an information security and risk management practitioner, technologies expert and privacy evangelist with over 15 of experience. He worked in several senior roles both in the private and public sector. He is member of various national and international security expert groups and committees on cyber-security and privacy, keynote speaker at several conferences and author of numerous studies and papers on risk management, ...

Read more

Larry Hughes
Larry Hughes

Larry Hughes

VP of Research & Development, CSA

Larry Hughes is the Vice President of Research and Development at the Cloud Security Alliance. With more than 20 years of experience in the security industry, Larry’s holds five advanced security certifications, including CCSK, CCSP, and CISSP. His past roles include Principal Consultant at LJH Cybersecurity, GRC Director at Equinix, and Head of Information Security at 

Read more

Publications in ReviewOpen Until
Post-Quantum Cryptography Key ManagementMar 27, 2026
Leveraging the Health Data from IoT WearablesMar 31, 2026
Comparing FHE and Other PETsApr 17, 2026
MLOps Threat ModelApr 17, 2026
View all
Who can join?

Anyone can join a working group, whether you have years of experience or want to just participate as a fly on the wall.

What is the time commitment?

The time commitment for this group varies depending on the project. You can spend a 15 minutes helping review a publication that's nearly finished or help author a publication from start to finish.

Virtual Meetings

Attend our next meeting. You can just listen in to decide if this group is a good for you or you can choose to actively participate. During these calls we discuss current projects, and well as share ideas for new projects. This is a good way to meet the other members of the group. You can view all research meetings here.

Open Peer Reviews

Peer reviews allow security professionals from around the world to provide feedback on CSA research before it is published.

Learn how to participate in a peer review here.

Post-Quantum Cryptography Key Management

Open Until: 03/27/2026

This paper presents an in-depth analysis of Post-Quantum Cryptography (PQC) and its impact on key management practices in c...

Participate in peer review

Leveraging the Health Data from IoT Wearables

Open Until: 03/31/2026

Healthcare is undergoing a transformation, driven by big data and artificial intelligence (AI). This requires the collectio...

Participate in peer review

Comparing FHE and Other PETs

Open Until: 04/17/2026

Privacy-enhancing technologies offer a broad spectrum of solutions for challenges related to data confidentiality. However,...

Participate in peer review

MLOps Threat Model

Open Until: 04/17/2026

This paper sets the foundation for how we can apply the threat modelling practice of DevSecOps to MLOps.Please revi...

Participate in peer review