866.254.0000
Talk with a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
View All Services
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Talk with a Specialist

«  View All Posts

CSA CCM v.3.01 vs v4.0 Blog Feature
Daniel Valentin

By: Daniel Valentin

Print/Save as PDF

CSA CCM v.3.01 vs v4.0

 

Editor's note: The timelines in this article have been updated to reflect changes from the CSA.

On January 20, 2021, the Cloud Security Alliance (CSA) updated its Security Guidance v.4.0 to include extensive content addressing leading-edge cloud security practices.  The CCM provides a controls framework detailing understanding of security concepts and principles that are aligned to other industry-accepted security standards, regulations, and controls frameworks (i.e. ISO 27001/27002/27017/27018, NIST SP 800-53, AICPA TSC, German BSI C5, PCI DSS, ISACA COBIT, NERC CIP, FedRamp, CIS).  As part of the guidance update, Cloud Control Matrix (CCM) v.4.0 was adjusted to ensure coverage of requirements deriving from new cloud technologies, new controls and the security responsibility matrix, improved auditability of the controls, and enhanced interoperability and compatibility with other standards.

Prior to the publication, the previous version of the CCM, v.3.0.1, comprised 133 control objectives over 16 domains, covering key aspects of cloud technology mapped to leading standards, best practices, and regulations.  The new Version 4.0 now includes 197 control objectives over 17 domains, as noted below:

Domain Controls
Audit and Assurance (A&A) 6
Application and Interface Security (AIS) 7
Business Continuity Management and Operational Resilience (BCR) 11
Change Control and Configuration Management (CCC) 9
Cryptography, Encryption and Key Management (CEK) 21
Datacenter Security (DCS) 15
Data Security and Privacy Lifecycle Management (DSP) 19
Governance, Risk and Compliance (GRC) 8
Human Resources (HRS) 13
Identity and Access Management (IAM) 16
Interoperability and Portability (IPY) 4
Infrastructure and Virtualization Security (IVS) 9
Logging and Monitoring (LOG) 12
Security Incident Management, E-Discovery, and Cloud Forensics (SEF) 8
Supply Chain Management, Transparency, and Accountability (STA) 14
Threat and Vulnerability Management (TVM) 10
Universal Endpoint Management (UEM) 14

CCM v.4.0 also includes changes in the structure of the framework, with a new domain dedicated to Log and Monitoring (LOG) and modifications to the existing ones (GRC, A&A, UEM, CEK).  Currently, the CSA is in the process of initially mapping the CSM v.3.0.1 to align with CCM v.4.0—they are set to release that mapping in February 2021, and it will also include some of the more common control frameworks, including ISO 27001.  Additionally, the CSA is currently creating additional mappings to relevant standards, best practices, laws, and regulations (i.e. NIST 800-53 Rev 5, ENISA Security Controls for Cloud Services, CIS Controls, PCI-DSS)—those are expected to be released in the fall of 2021.

Also affected by these changes is the Consensus Assessment Initiative Questionnaire (CAIQ) v.3.1.  The CAIQ documents what security controls exist in IaaS, PaaS, and SaaS services, providing security control transparency to help cloud customers gauge the security posture of prospective cloud service providers and determine if their cloud services are suitably secure.  As another part of the updated CCM, the CAIQ is currently being adjusted to align with CCM v.4.0, and that new version should be published in April 2021.

As these previous items are being updated, there will also be some brand new additions to the CCM in the upcoming new version, including implementation guidance and auditing guidelines documents.  Set to be released in April 2021, these new items will provide broad interpretations on the use of the CCM while supporting users in better understanding and implementing the CCM controls.  Expected in summer 2021, the new guidelines will also provide an approach for auditing and assessment of the CCM controls and provide support to auditors and auditees on evaluating the correct adoption of CCM controls.

While the updates to the CCM have been extensive and will continue to be evolving over the course of 2021, it will be important to understand the CSA STAR transition timeline with regards to utilizing v.4.0 of the CAIQ and the CCM for STAR submissions as well as when the CCM v3.0.1 will no longer be accepted.

The CSA recently has communicated its updated timelines and noted them below:

  • July 2021: CSA has started accepting both CCM v4 and CAIQ v4 for all STAR Levels;
  • December 2021: STAR Level 2 will accept only CCM v4.0 for all new submissions;
  • July 2022: STAR Level 1 will start accepting only CAIQ v4 for all submissions;
  • July 2022: STAR Level 2 will require all submissions to be against CCM v4.0, with the deadline for all Level 2 to be against CCM 4.0 by December 31, 2022; and

What this means:

  • Clients maintaining CSA STAR Certification or undergoing CSA STAR Attestation will be required to be assessed against CCM 4.0 in 2022 for their scheduled assessment or examination.
  • Should any transition to CCM 4.0 not be completed by the transition period end date (12/31/22), STAR certificates issued under CCM 3.0.1 will be expired and removed from the CSA registry; reactivation will require a new initial certification review against CCM 4.0 in 2023.  STAR Attestation examinations not performed against CCM 4.0 and submitted by the transition period end date (12/31/22) will be removed from the CSA registry

Clients are required to submit to the CSA (and Schellman) their completed CAIQ v4 prior to the 2022 external assessment / examination. 

Schellman is planning to conduct all STAR Certification and Attestation audits to CCM v4.0 in 2022.

To accommodate these updates, Schellman will be revising its methodology for incorporating the new CCM into the STAR Certification audits, though we do anticipate that a majority of the 2021 STAR Certification reviews to be against v.3.0.1.  However, should a client wish to early adopt the updated CCM, please confirm completion of the updated CAIQ against 4.0 when it becomes available, and ensure that the current Statement of Applicability (SOA) includes the new CCM as part of the ISO 27001 information security management system (ISMS).

About Daniel Valentin

Daniel Valentin is a Manager with Schellman based in Tampa, Florida. Prior to joining Schellman in 2014, Daniel worked as an Internal Auditor in the industry as part of a Risk Management department specializing in physical safety and security for over 150 locations in the U.S. and Puerto Rico. Before focusing his career on professional services, Daniel worked as a Corporate Internal Auditor specializing in audit and compliance which included Sarbanes-Oxley (SOX), Mergers and Acquisitions (M&A), and fraud investigations where he gained experience in IT system analysis and project management. Daniel is now focused primarily on ISO certifications for organizations across various industries.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Ready delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.