CSA CCM v.3.01 vs v.4.0

Editor's note: The timelines in this article have been updated to reflect changes from the CSA.

On January 20, 2021, the Cloud Security Alliance (CSA) updated its Security Guidance v.4.0 to include extensive content addressing leading-edge cloud security practices.  The CCM provides a controls framework detailing understanding of security concepts and principles that are aligned to other industry-accepted security standards, regulations, and controls frameworks (i.e. ISO 27001/27002/27017/27018, NIST SP 800-53, AICPA TSC, German BSI C5, PCI DSS, ISACA COBIT, NERC CIP, FedRamp, CIS).  As part of the guidance update, Cloud Control Matrix (CCM) v.4.0 was adjusted to ensure coverage of requirements deriving from new cloud technologies, new controls and the security responsibility matrix, improved auditability of the controls, and enhanced interoperability and compatibility with other standards.

Prior to the publication, the previous version of the CCM, v.3.0.1, comprised 133 control objectives over 16 domains, covering key aspects of cloud technology mapped to leading standards, best practices, and regulations.  The new Version 4.0 now includes 197 control objectives over 17 domains, as noted below:

Domain Controls
Audit and Assurance (A&A) 6
Application and Interface Security (AIS) 7
Business Continuity Management and Operational Resilience (BCR) 11
Change Control and Configuration Management (CCC) 9
Cryptography, Encryption and Key Management (CEK) 21
Datacenter Security (DCS) 15
Data Security and Privacy Lifecycle Management (DSP) 19
Governance, Risk and Compliance (GRC) 8
Human Resources (HRS) 13
Identity and Access Management (IAM) 16
Interoperability and Portability (IPY) 4
Infrastructure and Virtualization Security (IVS) 9
Logging and Monitoring (LOG) 12
Security Incident Management, E-Discovery, and Cloud Forensics (SEF) 8
Supply Chain Management, Transparency, and Accountability (STA) 14
Threat and Vulnerability Management (TVM) 10
Universal Endpoint Management (UEM) 14

CCM v.4.0 also includes changes in the structure of the framework, with a new domain dedicated to Log and Monitoring (LOG) and modifications to the existing ones (GRC, A&A, UEM, CEK).  Currently, the CSA is in the process of initially mapping the CSM v.3.0.1 to align with CCM v.4.0—they are set to release that mapping in February 2021, and it will also include some of the more common control frameworks, including ISO 27001.  Additionally, the CSA is currently creating additional mappings to relevant standards, best practices, laws, and regulations (i.e. NIST 800-53 Rev 5, ENISA Security Controls for Cloud Services, CIS Controls, PCI-DSS)—those are expected to be released in the fall of 2021.

Also affected by these changes is the Consensus Assessment Initiative Questionnaire (CAIQ) v.3.1.  The CAIQ documents what security controls exist in IaaS, PaaS, and SaaS services, providing security control transparency to help cloud customers gauge the security posture of prospective cloud service providers and determine if their cloud services are suitably secure.  As another part of the updated CCM, the CAIQ is currently being adjusted to align with CCM v.4.0, and that new version should be published in April 2021.

As these previous items are being updated, there will also be some brand new additions to the CCM in the upcoming new version, including implementation guidance and auditing guidelines documents.  Set to be released in April 2021, these new items will provide broad interpretations on the use of the CCM while supporting users in better understanding and implementing the CCM controls.  Expected in summer 2021, the new guidelines will also provide an approach for auditing and assessment of the CCM controls and provide support to auditors and auditees on evaluating the correct adoption of CCM controls.

While the updates to the CCM have been extensive and will continue to be evolving over the course of 2021, it will be important to understand the CSA STAR transition timeline with regards to utilizing v.4.0 of the CAIQ and the CCM for STAR submissions as well as when the CCM v3.0.1 will no longer be accepted.

The CSA recently has communicated its updated timelines and noted them below:

  • July 2021: CSA has started accepting both CCM v4 and CAIQ v4 for all STAR Levels;
  • December 2021: STAR Level 2 will accept only CCM v4.0 for all new submissions;
  • July 2022: STAR Level 1 will start accepting only CAIQ v4 for all submissions;
  • July 2022: STAR Level 2 will require all submissions to be against CCM v4.0, with the deadline for all Level 2 to be against CCM 4.0 by December 31, 2022; and

What this means:

  • Clients maintaining CSA STAR Certification or undergoing CSA STAR Attestation will be required to be assessed against CCM 4.0 in 2022 for their scheduled assessment or examination.
  • Should any transition to CCM 4.0 not be completed by the transition period end date (12/31/22), STAR certificates issued under CCM 3.0.1 will be expired and removed from the CSA registry; reactivation will require a new initial certification review against CCM 4.0 in 2023.  STAR Attestation examinations not performed against CCM 4.0 and submitted by the transition period end date (12/31/22) will be removed from the CSA registry

Clients are required to submit to the CSA (and Schellman) their completed CAIQ v4 prior to the 2022 external assessment / examination. 

Schellman is planning to conduct all STAR Certification and Attestation audits to CCM v4.0 in 2022.

To accommodate these updates, Schellman will be revising its methodology for incorporating the new CCM into the STAR Certification audits, though we do anticipate that a majority of the 2021 STAR Certification reviews to be against v.3.0.1.  However, should a client wish to early adopt the updated CCM, please confirm completion of the updated CAIQ against 4.0 when it becomes available, and ensure that the current Statement of Applicability (SOA) includes the new CCM as part of the ISO 27001 information security management system (ISMS).

About the Author

Daniel Valentin

Daniel Valentin is a Senior Associate with Schellman & Company, LLC. Prior to joining Schellman in 2014, Daniel worked as an Internal Auditor for Loomis AB's Risk Management department specializing in physical safety and security for over 150 locations in the US and Puerto Rico. Before focusing his career on professional services, Daniel worked as a Corporate Internal Auditor for EzCorp specializing in audit and compliance which included Sarbanes-Oxley (SOX), Mergers and Acquisitions (M&A), and fraud investigations where he gained experience in IT system analysis and project management.

More Content by Daniel Valentin

No Previous Articles

Next Flipbook
CSA STAR
CSA STAR