CSA CCM v.3.01 vs v.4.0

On January 20, 2021, the Cloud Security Alliance (CSA) updated its Security Guidance v.4.0 to include extensive content addressing leading-edge cloud security practices.  The CCM provides a controls framework detailing understanding of security concepts and principles that are aligned to other industry-accepted security standards, regulations, and controls frameworks (i.e. ISO 27001/27002/27017/27018, NIST SP 800-53, AICPA TSC, German BSI C5, PCI DSS, ISACA COBIT, NERC CIP, FedRamp, CIS).  As part of the guidance update, Cloud Control Matrix (CCM) v.4.0 was adjusted to ensure coverage of requirements deriving from new cloud technologies, new controls and the security responsibility matrix, improved auditability of the controls, and enhanced interoperability and compatibility with other standards.

Prior to the publication, the previous version of the CCM, v.3.0.1, comprised 133 control objectives over 16 domains, covering key aspects of cloud technology mapped to leading standards, best practices, and regulations.  The new Version 4.0 now includes 197 control objectives over 17 domains, as noted below:

Domain Controls
Audit and Assurance (A&A) 6
Application and Interface Security (AIS) 7
Business Continuity Management and Operational Resilience (BCR) 11
Change Control and Configuration Management (CCC) 9
Cryptography, Encryption and Key Management (CEK) 21
Datacenter Security (DCS) 15
Data Security and Privacy Lifecycle Management (DSP) 19
Governance, Risk and Compliance (GRC) 8
Human Resources (HRS) 13
Identity and Access Management (IAM) 16
Interoperability and Portability (IPY) 4
Infrastructure and Virtualization Security (IVS) 9
Logging and Monitoring (LOG) 12
Security Incident Management, E-Discovery, and Cloud Forensics (SEF) 8
Supply Chain Management, Transparency, and Accountability (STA) 14
Threat and Vulnerability Management (TVM) 10
Universal Endpoint Management (UEM) 14

CCM v.4.0 also includes changes in the structure of the framework, with a new domain dedicated to Log and Monitoring (LOG) and modifications to the existing ones (GRC, A&A, UEM, CEK).  Currently, the CSA is in the process of initially mapping the CSM v.3.0.1 to align with CCM v.4.0—they are set to release that mapping in February 2021, and it will also include some of the more common control frameworks, including ISO 27001.  Additionally, the CSA is currently creating additional mappings to relevant standards, best practices, laws, and regulations (i.e. NIST 800-53 Rev 5, ENISA Security Controls for Cloud Services, CIS Controls, PCI-DSS)—those are expected to be released in the fall of 2021.

Also affected by these changes is the Consensus Assessment Initiative Questionnaire (CAIQ) v.3.1.  The CAIQ documents what security controls exist in IaaS, PaaS, and SaaS services, providing security control transparency to help cloud customers gauge the security posture of prospective cloud service providers and determine if their cloud services are suitably secure.  As another part of the updated CCM, the CAIQ is currently being adjusted to align with CCM v.4.0, and that new version should be published in April 2021.

As these previous items are being updated, there will also be some brand new additions to the CCM in the upcoming new version, including implementation guidance and auditing guidelines documents.  Set to be released in April 2021, these new items will provide broad interpretations on the use of the CCM while supporting users in better understanding and implementing the CCM controls.  Expected in summer 2021, the new guidelines will also provide an approach for auditing and assessment of the CCM controls and provide support to auditors and auditees on evaluating the correct adoption of CCM controls.

While these changes to the CCM are extensive and will continue to evolve over the course of 2021, it is important to likewise understand the CSA STAR transition timeline with regards to utilizing v.4.0 of the CAIQ and the CCM for STAR submissions, including the point at which the CCM v3.0.1 will no longer be accepted.  Fortunately, the CSA has communicated its timelines, which are below:

  • May 2021: CSA will start accepting both v.4.0 and v.3.0.1 for all STAR Levels.

  • October 2021: STAR Level 2 will only accept v.4.0 for all new submissions.

  • May 2022: STAR Level 1 will start accepting only v.4.0 for all submissions.

  • January 2023: STAR Level 2 will require all submissions to be v.4.0.

Moreover, organizations currently listed in the STAR registry have a two-year transition period to adopt CCM v.4.0.  That transition period will end in January 2023.

To accommodate these updates, Schellman will be revising its methodology for incorporating the new CCM into the STAR Certification audits, though we do anticipate that a majority of the 2021 STAR Certification reviews to be against v.3.0.1.  However, should a client wish to early adopt the updated CCM, please confirm completion of the updated CAIQ against 4.0 when it becomes available, and ensure that the current Statement of Applicability (SOA) includes the new CCM as part of the ISO 27001 information security management system (ISMS).

About the Author

Daniel Valentin

Daniel Valentin is a Senior Associate with Schellman & Company, LLC. Prior to joining Schellman in 2014, Daniel worked as an Internal Auditor for Loomis AB's Risk Management department specializing in physical safety and security for over 150 locations in the US and Puerto Rico. Before focusing his career on professional services, Daniel worked as a Corporate Internal Auditor for EzCorp specializing in audit and compliance which included Sarbanes-Oxley (SOX), Mergers and Acquisitions (M&A), and fraud investigations where he gained experience in IT system analysis and project management.

More Content by Daniel Valentin
Previous Article
No More Hidden Figures
No More Hidden Figures

Spotlighting Black tech leaders in honor of Black History Month

Next Article
National Self-Check Month
National Self-Check Month

Be proactive about your health and wellness


First Name
Error - something went wrong!