From: Unofficial Federal Risk Authorization Management Project
The Cloud Controls Matrix (CCM) version 1.3 of the CSA GRC Stack introduced an alignment with the final FedRAMP overlay which is based on the NIST SP 800-53 Revision 3 Security Controls.
The CCM consists of 11 control areas and 98 controls covering compliance, data governance, facility security human resources, information security, legal, operations management, risk management, release management, resiliency, and security architecture. These control areas provide the fundamental security principles for specifying the overall security needs of a cloud consumer and for the assessment of the overall risk of a cloud provider. In addition, the CCM, as depicted below, provides a mapping of the 98 controls to the organizational level (e.g., corporate governance), the delineating control ownership by cloud service type (i.e., SaaS, PaaS, IaaS), supplier relationship (i.e., service provider vs. tenant/consumer), and architectural relevance (i.e., physical, network, compute, storage, application and data). In addition, the CCM provides a relational mapping to a variety of other information security standards, regulations, and control frameworks to include ISO/IEC 27001, ISACA Control Objectives for Information and Related Technology (COBIT) 4.1, Payment Card Industry Data Security Standard (PCI DSS) Version 2.0, Generally Accepted Privacy Principles (GAPP), NIST 800-53 Revision 3, HIPAA/HITECH, Jericho Forum, North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP), BITS Shared Assessments, and the Federal Risk and Authorization Management Program (FedRAMP).
Within FedRAMP, cloud service providers (CSPs) will likely have aligned their security and compliance programs to adhere to a variety of information security standards, regulations, and control frameworks. Therefore, CSP benefits when describing their information security program alignment within the context of the CCM to take advantage of the reusability of their existing documentation and evidence obtained through the development of security processes, practices, and technologies to support the implementation of security controls to address the requirements of FedRAMP. As an example of the coverage of the CCM to the FedRAMP security controls (i.e., Federal Cloud Overlay), refer to the FedRAMP-CCM Matrix.
About the CSA CCM
“As a framework, the CSA CCM provides organizations with the needed structure, detail and clarity relating to information security tailored to the cloud industry. The CSA CCM strengthens existing information security control environments by emphasizing business information security control requirements, reduces and identifies consistent security threats and vulnerabilities in the cloud, provides standardize security and operational risk management, and seeks to normalize security expectations, cloud taxonomy and terminology, and security measures implemented in the cloud.”
-Cloud Security Alliance (CSA) CCM Working Group
Leave a Reply