Cloud Security Alliance announces mappings between CCM and NIST's Cybersecurity Framework

May 8, 2024
This mapping serves to align CCM with CSF and to identify the equivalence, gaps, and misalignment between the control specifications of the two frameworks.

SAN FRANCISCO -- RSA Conference -- The Cloud Security Alliance (CSA) today announced an additional mapping and gap analysis between its flagship Cloud Controls Matrix (CCM) and the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) v2.0.

Drafted by the CCM Working Group, this mapping serves to align CCM with CSF and to identify the equivalence, gaps, and misalignment between the control specifications of the two frameworks, allowing for more streamlined compliance. Cloud organizations can leverage this mapping to derive numerous key benefits, enhancing their cloud security and compliance programs.

“By expanding upon the CCM’s current mapping to NIST’s Cybersecurity Framework we are not only providing a means to aligning an organization's cloud security and compliance efforts, but ensuring that every step forward is in the right direction,” said Lefteris Skoutaris, Program Manager and Research Analyst, Cloud Security Alliance, EMEA.

Additionally, the Cloud Controls Matrix (CCM) Working Group would like to announce a new minor update to CCM v4.0.11. This update and release incorporates the additional mapping of CCMv4.0 with NIST CSF v2.0. This update serves to strengthen CCM’s position as the cloud security industry’s preferred control framework.

This additional mapping brings the total number of mappings to 15. The CCM Working Group previously mapped CCM to the following standards: NIST 800-53r5, NIST CSF v1.1 and v2.0, PCI DSS v3.2.1 and v4.0, ISO/IEC 27001 (2013, 2022), ISO/IEC 27002 (2013, 2022), ISO/IEC 27017 (2015), ISO/IEC 27018 (2019), AICPA TSC (2017), CIS v8.0, ISF SOGP 2022 and CCM v3.0.1. Additional mappings are under development and will be added in the future.

The Cloud Controls Matrix (CCM) is a cybersecurity control framework for cloud computing, composed of 197 control objectives structured in 17 domains, covering all key aspects of the cloud technology. It can be used as a tool for the systematic assessment of a cloud implementation, and provides guidance on which security controls should be implemented by which actor within the cloud supply chain. The controls framework is aligned to the CSA Security Guidance for Cloud Computing and is considered a de-facto standard for cloud security assurance and compliance.

Along with releasing updated versions of the CCM and CAIQ, the Cloud Controls Matrix Working Group provides control mappings, gap analysis, and addendums between the CCM and other industry standards and regulations to keep it continually up-to-date. Those interested in participating in the working group or its research are invited to join.

The CCM is a free resource and is available for download now.