What you need to know: Transitioning CSA STAR for Cloud Controls Matrix 4.0

In January of this year, the Cloud Security Alliance (CSA) released a major revision to its widely adopted Cloud Controls Matrix (CCM) in the form of version 4.0. This comes in the middle of a calendar year where several alternative information security frameworks are also expected to be refined, including the HITRUST CSF, ISO/IEC 27002, and PCI DSS.

Coalfire currently acts as a co-chairman to the Open Certification Framework (OCF) working group that is tasked with aligning other third-party assurance frameworks with the CCM for the purpose of increasing visibility and transparency of cloud service providers' (CSPs) security practices.

Coalfire regularly contributes and participates in industry groups within the CSA and is a a consistent supporter of the Security, Trust, Assurance, and Risk (STAR) program popularized by this alliance of CSPs and cloud customers. STAR celebrated its 1,000th registrant in 2020 via a live event where Coalfire leadership described the early days of the program and its successes as the CCM sought to push a new industry benchmark for cloud technologies.

The STAR program allows organizations to both self-assess (Level 1) and participate in third-party assurance inspections (Level 2) based on responses to the Consensus Assessment Initiative Questionnaire (CAIQ) and the effective implementation of the CCM. For third-party assessments, Coalfire is one of approximately 20 approved STAR auditors globally, and maintains authorization to assess for both STAR Attestation based on prior SOC 2 examinations and STAR Certification that build on existing, accredited ISO/IEC 27001 certifications.

Being the first revision to the CCM since version 3.0.1 was released in August 2019, several organizations approached our teams requesting further information on how the transition affects them as either a current participant on the STAR registry or a prospective applicant undergoing a CCM audit by an approved auditor for the first time. The standardization team at Coalfire examined this new framework and compiled several sources made available by the CSA to answer the most frequently asked questions (FAQ) surrounding this event.

What are the significant differences between the existing version of the CCM and this new revision?

Several control specifications were revised for more current word choice preferred by the industry as well as made more prescriptive to better mitigate the underlying risk. Notably, the CCM expanded from its 16-domain structure to a 17th control family and as increased the total number of controls by more than 50% from 133 to 197 objectives as part of this release.

Coalfire determined an increased focus in the area of privacy lifecycle management (total of 19 controls), which was previously limited to only privacy concerns associated with bring-your-own-device (BYOD) policies. Additionally, cryptography expanded from only 4 controls within the prior version’s Encryption & Key Management Entitlement domain to 21 controls within the refined Cryptography, Encryption & Key Management grouping described within version 4.0.

Does the CCM version 4.0 integrate well with other popular information security frameworks?

Yes. The authors of this revision to the CCM included a crosswalk within a separate worksheet appended to the CCM entitled “Scope Applicability (Mappings)” that maps these updated control specifications to both the prior version of the CCM and several standards within the ISO/IEC 27000 series, including ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 27017, and ISO/IEC 27018. Mappings to Center for Internet Security (CIS) Controls Version 8 and the AICPA Trust Services Criteria (TSC) 2017 are expected to be released by the CSA in June 2021 with additional mappings as part of separate initiatives by October 2021.

For organizations currently listed within the STAR registry as Level 2 Attestation or Certification, when will the transition to CCM version 4.0 be required?

For currently certified or attested registrants of STAR, submissions by audit providers on behalf of these organizations are required to demonstrate conformity to CCM version 4.0 for all assessments that conclude after June 30, 2022. However, audit providers may require inspections utilizing version 4.0 before the enforcement date. It is recommended to directly engage with the audit provider to discover any adjustments to this transition deadline.

For organizations currently pursuing Level 2 registration for STAR, will CCM version 4.0 be required during the initial examination or certification audit?

CSA will accept new Level 2 registrants to the STAR program under CCM version 3.0.1 until December 2021; however, it is strongly advised to transition to CCM version 4.0 if the initial examination or certification audit is not expected to conclude prior to November 2021 during this initial adoption period.

For organizations currently pursuing Level 1 registration for STAR via self-assessment, will CAIQ version 4.0 be required?

CSA will accept new Level 1 registrants via self-assessment to the STAR program under CAIQ version 3.1 through June 30, 2022. There is a lengthier transition timeline for the CAIQ, as version 4.0 was only released on June 7, 2021 and Level 1 submissions with this version of the CAIQ will be accepted by CSA beginning in early July 2021 per the CSA blog.

Should Level 2 registrants expect any changes to the maturity scoring methods for each CCM domain as a result of CCM version 4.0?

There are currently no communicated adjustments to the maturity scoring as a result of this revision to the CCM. The release of new guidelines for STAR auditors is expected to be made available in September 2021.

Is the Certificate of Cloud Security Knowledge (CCSK) curriculum affected by the release of CCM version 4.0?

CSA has communicated no intended changes in the short term to the CCSK examination and has indicated that all form questions relating to the CCM will reference version 3.0.1. For more current information on relevant personal cloud certifications, Coalfire recommends to investigate the new Certificate of Cloud Auditing Knowledge (CCAK) curriculum that was recently released via a joint initiative between the CSA and ISACA.