Open Certification Framework (OCF) Working Group

Introduction to the Open Certification Framework (OCF) Working Group

The CSA Open Certification Framework (OCF) Working Group is an industry initiative to allow global, accredited, trusted certification of cloud providers.

The CSA Open Certification Framework (OCF) Working Group is a program for flexible, incremental and multi-layered cloud provider certification according to the Cloud Security Alliance’s industry leading security guidance and control objectives.

The program will integrate with popular third-party assessment and attestation statements developed within the public accounting community to avoid duplication of effort and cost.

The CSA Open Certification Framework (OCF) Working Group is based upon the control objectives and continuous monitoring structure as defined within the CSA GRC (Governance, Risk and Compliance) Stack research projects.

The CSA Open Certification Framework (OCF) Working Group will support several tiers, recognizing the varying assurance requirements and maturity levels of providers and consumers. These will range from the CSA Security, Trust and Assurance Registry (STAR) self-assessment to high-assurance specifications that are continuously monitored.

Download the Open Certification Framework (OCF) Working Group Charter


The CSA Open Certification Framework (OCF) Working Group provides:

  • A path for any region to address compliance concerns with trusted, global best practices. For example, we expect governments to be heavy adopters of the CSA Open Certification Framework to layer their own unique requirements on top of the GRC Stack and provide agile certification of public sector cloud usage.
  • An explicit guidance for providers on how to use GRC Stack tools for multiple certification efforts. For example, scoping documentation will articulate the means by which a provider may follow an ISO/IEC 27001 certification path that incorporates the CSA Cloud Controls Matrix (CCM).
  • A “recognition scheme” that would allow us to support ISO, AICPA and potentially others that incorporate CSA IP inside of their certifications/framework. CSA supports certify-once, use-often, where possible.

CSA aims to harmonize and simplify provider certifications, not complicate them.

Open Certification Framework (OCF) Working Group Leadership

Open Certification Framework (OCF) Co-chairs

Andrew Williams Headshot

Andrew Williams

Director of Program Development, Coalfire

Andrew Williams is the Director of Program Development at Coalfire. In this role, he is responsible for working closely with Coalfire customers, industry bodies and regulatory authorities, and internal stakeholders to ensure Coalfire’s services, delivery, and talent are aligned to the needs of the future compliance and security landscape.

Andrew previously worked as practice director for Coalfire’s cloud assessment and risk advisory teams. As practice director, he oversaw Coalfire’s sales, delivery, and professional development strategy for all advisory and assessment personnel delivering services to cloud computing customers.

Since joining Coalfire in 2014, he has functioned as a subject matter expert for cloud compliance, cloud network architecture, cloud administrator and cloud customer access control, and secure code development. He has extensive experience with the NIST 800-53 framework and the NIST IT security landscape; FedRAMP, FISMA, DISA, and DOD program development and security architecture design; and general controls client advisory. Andrew has directed engagements at more than 40 different cloud service providers and has supported many more, bringing deep experience with AWS, the Microsoft Cloud, Google, and hybrid enterprise scale environments.

Ronald Tse Headshot

Ronald Tse

CEO, Ribose

Ronald Tse is the Founder and CEO of Ribose, leading its strategic development and technology roadmap. He graduated from Brown University with bachelor's degrees magna cum laude in Computer Science and Biology, and a master's degree in Computer Science.

Ronald currently serves CalConnect as Vice President and Director of External Relationships, founding co-chair of CalConnect's TC VCARD, TC PUBLISH and TC DATETIME committees, CSA's SaaS Governance and DevSecOps working groups, member of the CSA International Standardization Council, Convener of ISO/TC 154/WG 5, and expert representative to ISO committees including ISO/TC 154, ISO/TC 211, ISO/TC 46, ISO/TC 37, ISO/IEC JTC 1/SC 27 and ISO/IEC JTC 1/SC 38, ISO/TMBG/SAG_MRS for CalConnect, CSA, Hong Kong, China and Canada.

Most recently, he helped shaped the ISO 8601-1 and ISO 8601-2 date and time standards. He previously worked in the life sciences industry and performed research on highly-scalable distributed systems at Brown and MIT.

Under his leadership, Ribose has been consistently awarded the industry's highest cloud security ratings, it became the world's first organization to achieve certification to the NIST Cybersecurity Framework (Tier 4), Singapore's Multi-Tier Cloud Security (Level 3), the only organization to be triple assured by the Cloud Security Alliance: CSA STAR Attestation, CSA STAR Certification and CSA C-STAR Assessment, as well as the first in the industry to receive BSI's Kitemark for Secure Digital Transactions.

He has been named recipient of the CSA Ron Knode Award for his service to cloud security, and is an IAPP Fellow of Information Privacy, a member of Sigma Xi, a CISSP-ISSAP, ISSMP, CSSLP, CAP, SSCP, CISA, CISM, CRISC, CGEIT, CIPP/US, CIPM, CIPT, PSM I-II-III, PSPO I-II, PSD and CCIE Emeritus #9650.

Ryan Mackie Headshot

Ryan Mackie

Principal, Schellman & Company

Ryan Mackie is a Principal at Schellman & Company, LLC. Ryan manages SOC, PCI-DSS, ISO, HIPAA, and Cloud Security Alliance (CSA) STAR Certification and Attestation service delivery and also oversees the firm-wide methodology and execution for the ISO certification services, including ISO 27001, ISO 9001, ISO 20000, and ISO 22301 as well as CSA STAR certification services. He has over 20 years of experience, including 14 at Schellman, 2 at Protiviti, and 5 at KPMG.

Ryan also is an active member of the CSA and sits on the Open Control Framework committee which is responsible for the CSA STAR Program methodology and execution. Ryan maintains an active Certificate of Cloud Security Knowledge (CCSK), Certified Internal Auditor (CIA), Certified Information Systems Auditor (CISA), and Certified Information Systems Security Professional (CISSP).

Andreas Fuchsberger

Andreas Fuchsberger

Andreas Fuchsberger is a Standards Officer in Microsoft’s Corporate Standards Group. In this role he participates in the international standards community, predominantly attending ISO/IEC JTC 1/SC 27 (IT Security Techniques) as a UK NB delegate and ITU-T SG 17 (Security) as an ISO invited expert. Currently for SC 27 he is the convener of the Special Working Group on Traversal Items and the editor of 2 international standards on network security and security information and event management (SIEM).

Andreas co-chairs the Cloud Security Alliance’s International Standards Council where he is the liaison officer to ITU-T SGs 13 and 17. He also co-chairs CSA’s Open Certification Framework working group. He has been an appointed member of (ISC)2‘s Application Security Advisory Board (ASAB)

Previously Andreas was a full-time academic at the internationally recognized Information Security Group at Royal Holloway, University of London, where he previously lectured in the areas of network, computer and software security. He has over 20 years of experience in teaching and running training programmes in IT security architecture, design and programming. He has published articles on programming and network security, intrusion detection/prevention and vulnerability analysis.

Andreas holds the joint CSA/(ISC)2 CCSP as well as CISSP, ISSAP and CSSLP credentials of (ISC)2. He is a registered Chartered Engineer (CEng) of the Engineering Council UK as well as a EUR ING of Fédération Européenne d’Associations Nationales d’Ingénieurs (FEANI).

Contributions: Co-chair of the CSA’s International Standardization Council and Open Certification Working Group Leadership. Speaker at numerous events, including the 2015 U.S. Congress and the CSA APAC CISO Forum in 2013.

Open Certification Framework (OCF) Advisors

Daniele Catteddu

Daniele Catteddu

Chief Technology Officer, CSA

Daniele Catteddu is an information security and risk management practitioner, technologies expert and privacy evangelist with over 15 of experience. He worked in several senior roles both in the private and public sector. He is member of various national and international security expert groups and committees on cyber-security and privacy, keynote speaker at several conferences and author of numerous studies and papers on risk management, cyber security and privacy.

Currently he is the Chief Technology Officer, at Cloud Security Alliance, where he is responsible to drive, on a global scale, the adoption of the technology strategy roadmap within key CSA lines of business: Research, Membership Services, Standards, Education and Products. He identifies technology trends, global policies and evolving social behavior and their impact on information security and on CSA’s activities.
Daniele leads the product management for CSA and chairs the Futures Advisory Committee.

Mr Catteddu is the co-founder and executive of the CSA Open Certification Framework / STAR Program. Moreover he leads definition and implementation of the CSA research agenda in Europe and manages the relations with European public institutions and is member of the CSA International Standardization Council.

He has been recently appointed as Member of the Policy and Scientific Committee of the European Privacy Association.

In past he worked at CSA as Managing Director for the EMEA Region, at ENISA (European Network and Information Security Agency), as Expert in areas of Critical Information Infrastructure Protection (CIIP) and Emerging and Future Risks Management, and in particular, having a leading role in developing EU cloud security research. Before joining ENISA, Daniele worked as an Information Security consultant in the banking and financial sector. Daniele graduated from the University of Parma (Italy) in Business Administration and Economics, and he is an ISACA Certified Information Security Manager.

John DiMaria

John DiMaria

John DiMaria is the Sr. Product Manager, System Certification for BSI Americas. He has 30 years of successful experience in Standards and management System Development, including Information Systems, ISMS, Business Continuity and Quality Assurance. John is responsible for overseeing, product roll-out, and client/sales education. He is a product spokesperson for BSI Americas regarding all standards covering Risk, Quality, Sustainability and Regulatory Compliance. John was one of the key innovators of CSA STAR Certification for cloud providers, a contributing author of the American Bar Association’s Cybersecurity Handbook, a working group member and key contributor to the NIST Cybersecurity Framework. He currently serves as the CSA OCF and CTP working group Co-Chair and is a member of the SME and CSA Financial Services Stakeholder Platform (FSSP) Working Groups.

John has been a keynote speaker internationally, and featured in many publications concerning various topics regarding security, quality and business continuity. He has served on committees that influence legislation and drive international harmonization such as the ANAB PS-Prep (Title IX) committee of experts, Shared Assessment Program, and the Cloud Security Alliance (CSA) Controls Matrix Development Committee. He currently serves on the ANSI Energy Efficiency Standardization Coordination Collaborative (EESCC). He is a BCI award winner, and BSI Innovation award winner.

Contributions: Co-chair of the Open Certification Framework (OCF) and Cloud Trust Protocol (CTP) Working Groups; key innovator and co-author of the CSA STAR certification; designed and developed the CSA STAR webinars.

Open Certification Framework (OCF) Working Group Initiatives

Please contact Open Certification Framework (OCF) Working Group Leadership for more information.

Join Working Group

Address Information

In what ways do you see yourself contributing?

Having read and understood the CSA’s Privacy Policy,

I specifically consent to receive marketing messages via the following channels:

Open Certification Framework (OCF) Working Group Downloads

Streamlining Vendor IT Security and Risk Assessments

Streamlining Vendor IT Security and Risk Assessments

A perspective on standards-based assurance of Cloud Providers.

Release Date: 12/09/2018
CSA STAR Program & Open Certification Framework in 2016 and Beyond

CSA STAR Program & Open Certification Framework in 2016 and Beyond

The Cloud Security Alliance (CSA) Security, Trust and Assurance Registry (STAR) program is the industry’s leading trust mark for cloud security. The CSA Open Certification Framework (OCF) is a program for flexible, incremental and multi-layered CSP certifications according to the CSA’s industry leading security guidance. The OCF/STAR program comprises a global cloud computing assurance framework with a scope of capabilities, flexibility of execution, and completeness of vision that far exceeds the risk and compliance objectives of other security audit and certification programs.

Release Date: 04/12/2016
STAR Certification Guidance Document: Auditing the Cloud Controls Matrix (CCM)

STAR Certification Guidance Document: Auditing the Cloud Controls Matrix (CCM)

There are a number of control areas on the CCM that will each be awarded a management capability score on a scale of 1-15. This 2nd version release includes alignment with the CCM v1.4 and v3.X.

Release Date: 05/16/2014
Publicizing Your STAR Certification

Publicizing Your STAR Certification

The following guidelines will help you to apply good practice in publicizing, communicating and promoting your certification to stakeholders, including staff, customers and business partners, and to the general public.

Release Date: 09/03/2013
Requirements for Bodies Providing STAR Certification

Requirements for Bodies Providing STAR Certification

This document outlines how to conduct a STAR certification assessments to the Cloud Controls Matrix (CCM) as part of an ISO 27001 assessment.

Release Date: 02/22/2019
OCF Vision Statement

OCF Vision Statement

The CSA Open Certification Framework is a program for flexible, incremental and multi-layered cloud provider certification according to the Cloud Security Alliance’s industry leading security guidance and control objectives.

Release Date: 08/17/2012