Understanding the Transition to CSA STAR Cloud Controls Matrix v4

The Cloud Security Alliance Security, Trust, Assurance, and Risk (CSA STAR) program and the accompanying Cloud Controls Matrix (CCM) form a world-renowned cybersecurity assurance framework that cloud service providers (CSPs) can use to demonstrate they follow best practices that support secure cloud computing.  

If your business currently has (or plans to pursue) CSA STAR certification, you should be aware that CCM v3.0.1 is in the process of being replaced by CCM v4. Below are the key dates you need to know for this transition as well as the primary differences between CCM v3.0.1 and v4.  

CCM v4 Transition Timeline  

CSA is still accepting CCM v3.0.1 for some submissions as v4 is phased in, but will require everyone to use v4 by the beginning of 2023. For this reason, CSPs that have yet to make the switch to v4 should start doing so sooner rather than later.  

The full timeline for the transition to CCM v4 is as follows:  

  • August 2021: Began accepting both v4 and CCM v3.0.1 for all STAR Levels.  
  • December 2021: Began requiring CCM v4 for all new Level 2 submission.  
  • July 2022: Will begin only accepting CCM v4 for all Level 1 and Level 2 submissions.  
  • January 21, 2023: CCM v3.0.1 will be officially withdrawn.  

This means if a certified STAR auditor performs a new CSA STAR Level 2 certification submission (Level 1 is a self-assessment that does not result in certification) on behalf of your organization, it will be against CCM v4.  

However, if your organization currently has a certification or attestation listed on the official CSA STAR registry, you technically won’t be required to demonstrate conformity to CCM v4 until your next renewal audit. Renewal audits happen annually for SOC 2 + CSA STAR Attestations and every three years for ISO 27001:2013 + CSA STAR Certifications as well as GB/T 22080-2008 + CSA C-STAR Assessments. To determine whether or not this is needed, reach out to your CSA STAR auditor and determine if it’s worth planning to accelerate or adjust any elements of the official transition timeline.  

CCM v3.0.1 vs. CCM v4  

It’s important to understand the why behind the CSA’s decision to release a new edition of the framework to replace the previous version that had been in place since 2014. In the CSA’s own words, CCM v4 was developed in order to:  

  • Ensure coverage of requirements deriving from new cloud technologies (e.g., microservices, containers) and new legal and regulatory requirements especially in the privacy realm. 
  • Improve the auditability of the controls and provide better implementation and assessment guidance to organizations. 
  • Clarify the allocation of cloud security responsibilities within the shared responsibility model. 
  • Improve interoperability and compatibility with other standards.  

To accomplish these goals, CCM v4 includes modified security domains and additional controls. It has 197 control objectives over 17 domains, compared to the 133 control objectives over 16 domains contained in CCM v3.0.1.  

The modified domains are Governance, Risk Management and Compliance, Audit and Assurance, Universal Endpoint Management, and Cryptography, Encryption, and Key Management. The new domain, Logging and Monitoring, was added to address the increase in ransomware and other cyberattacks.  

Data privacy is also on the rise as an area of top security concern, which is why CCM v4 features a greater focus on Privacy Lifecycle Management. This domain was only limited to privacy matters related to bring-your-own-device (BYOD) work policies under CCM v3.0.1. Together, all of the new and modified controls help CSPs adopt international cybersecurity best practices that are specific to cloud security and data privacy.  

New supporting documentation  

CCM v4 also introduces a few pieces of supporting documentation CSPs can use to gain clarity around the certification process and what they need to do to prepare. These documents include:  

  • Implementation Guidelines: Explains how to implement the various CCM controls, created by the CCM Working Group.  
  • Control Applicability Matrix: Helps CSPs delineate security responsibilities between themselves and their customers  
  • Auditing Guidelines: Intended to be used by auditors, this guide is useful for CSPs looking to understand how their security will be assessed under an official audit.   

CAIQ v3.1 vs. CAIQ v4  

The Consensus Assessments Initiative Questionnaire (CAIQ) is based on the best practices listed in the CCM. It serves as the self-assessment a CSP must submit to the registry to earn CSA STAR Level 1. The CAIQ is also a prerequisite for pursuing CSA STAR Level 2 under the official Code of Practice.  

Just as the CCM was modernized with v4, the CAIQ has been updated (also to v4) to align with all of the changes mentioned previously. CAIQ v4 replaces CAIQ v3.1, which itself was a minor update to the previous CAIQ v3.0.1. There are two primary changes that are worth noting when comparing CCM 3.1 and CCM v4.  

First, CAIQ v4 has lowered the total number of questions to 261 (down from 310 in v3.1). Even though CCM v4 added more control objectives, the CSA was able to reduce the amount of questions on the CAIQ through improved alignment and reduced redundancy.  

The second significant change is the addition of new columns related to the Shared Security Responsibility Model (SSRM) which allow CSPs to give a more detailed description of who is responsible for implementing each control — the business or its customers. There is one mandatory multiple-choice column where the business must specify if each control is:  

  • CSP-owned  
  • Customer-owned  
  • Outsourced to a third party  
  • Shared between the CSP and customer  
  • Shared between the CSP and third party  

There are also a few optional columns a CSP may fill out to further elaborate on how they are satisfying their requirements and what they expect their customers to do to comply with their responsibilities.   

Level Up Your CSA STAR Certification  

CCM v4 enables CSPs to stay at the forefront of cloud security best practices. CSA STAR certification helps prove you follow the key CCM principles through an assessment carried out by an independent third-party auditor. Don’t delay in getting up to speed with CCMv4 as the assessment will bring your partners, prospects and customers peace of mind.   

If you are currently in the SOC 2 + CSA STAR Attestation process or have an upcoming engagement and would like to understand where your organization stands, A-LIGN can perform a gap assessment to identify what areas will need additional information based on the recent changes.