← Frameworks / Digital Asset Security

CryptoCurrency Security Standard (CCSS) v9.0

Industry de facto standard for cryptocurrency exchange and custodian security. 47 control objectives across 10 security aspects covering key/seed generation, wallet creation, key storage, key usage, key compromise protocol, keyholder grant/revoke, third-party audits, data sanitization, proof of reserve, and log auditing. Three certification levels (Level 1-3) with increasing rigour. Published by the CryptoCurrency Certification Consortium (C4).

Clauses: 47

Avg Coverage: 54.3%

Publisher: CryptoCurrency Certification Consortium (C4) Version: 9.0 (2024)

CCSS v9.0 → SP 800-53 SP 800-53 → CCSS v9.0 Coverage Analysis

Clause	Title	SP 800-53 Controls
1.01.1	Key Material Generation — Confidentiality of Key Generation Environment	SC-28 PE-02 PE-03 PE-06 SC-12
1.01.2	Key Material Generation — Entropy and Randomness Sources	SC-12 SC-13
1.01.3	Key Material Generation — Software Validation and Integrity	SI-03 SI-07 CM-03 CM-05
1.01.4	Key Material Generation — Automated Signing Agent Key Transfer	SC-12 SC-28 MP-05 SC-08
1.01.5	Key Material Generation — Level 1 Documentation and Procedural Controls	SC-12 PL-01 CA-09
1.01.6	Key Material Generation — Level 2 Generation Methodology Validation	CA-02 SC-12 SC-13
1.01.7	Key Material Generation — Level 3 Advanced Ceremony Controls	SC-12 PE-02 PE-03 AU-10
1.02.1	Wallet Creation — Single-Signer Wallet Architecture	SC-12 SC-13 CM-07
1.02.2	Wallet Creation — Multi-Signer Wallet Architecture	SC-12 SC-13 AC-05
1.02.3	Wallet Creation — Wallet Inventory and Address Management	CM-08 SC-12 PM-05
1.02.4	Wallet Creation — Address Verification and Integrity	SI-07 SC-12 SC-17
1.02.5	Wallet Creation — Level 2 Documented Custody Policy for Wallet Creation	PL-01 SC-12 PM-09
1.02.6	Wallet Creation — Level 2 Deterministic Wallet Controls	SC-12 CM-03 CM-06
1.02.7	Wallet Creation — Level 3 Smart Contract Wallet Auditing	CA-08 SA-11 SA-15
1.02.8	Wallet Creation — Level 3 Smart Contract State Monitoring	SI-04 AU-06 IR-05
1.03.1	Key Storage — Encryption of Keys at Rest	SC-28 SC-12 SC-13
1.03.2	Key Storage — Backup Existence and Accessibility	CP-09 CP-10 SC-12
1.03.3	Key Storage — Environmental Protection of Key Backups	PE-09 PE-10 PE-13 PE-14 CP-09
1.03.4	Key Storage — Level 2 Geographic Separation of Key Backups	CP-06 CP-09 PE-18
1.03.5	Key Storage — Level 2 Access Control for Key Material	AC-03 AC-06 AC-17 IA-02 IA-12
1.03.6	Key Storage — Level 3 Cold Storage and Hardware Security Controls	SC-12 SC-28 PE-02 PE-03
1.03.7	Key Storage — Level 3 EMP-Resistant Backup Storage	PE-09 PE-14 CP-09
1.04.1	Key Material Access — Keyholder Onboarding and Access Grant Procedures	PS-04 AC-02 IA-02 IA-05
1.04.2	Key Material Access — Keyholder Offboarding and Access Revocation	PS-04 PS-05 AC-02 IA-05
1.04.3	Key Material Access — Level 2 Quorum-Based Keyholder Authorization	AC-05 AC-06 IA-02
1.04.4	Key Material Access — Level 2 Keyholder Identity Verification and Training	PS-03 AT-03 IA-12
1.04.5	Key Material Access — Level 3 Formal Keyholder Registry and Audit Trail	AU-09 AU-10 AU-12 CM-08
1.05.1	Key Usage — Transaction Authorization and Signing Controls	AC-03 AC-06 IA-02 AU-10
1.05.2	Key Usage — Key Usage Logging and Non-Repudiation	AU-02 AU-03 AU-09 AU-10 AU-12
1.05.3	Key Usage — Level 2 Multi-Party Authorization for High-Value Transactions	AC-05 AC-06 IA-02
1.05.4	Key Usage — Level 2 Destination Address Whitelisting and Verification	CM-07 AC-04 SI-03
1.05.5	Key Usage — Level 3 Hardware-Enforced Signing and Trusted Display	SC-12 SC-28 PE-03
1.06.1	Key Compromise Protocol — Documented Key Compromise Response Procedures	IR-01 IR-08 CP-02 SC-12
1.06.2	Key Compromise Protocol — Compromised Keyholder Response and Access Revocation	IR-06 PS-04 AC-02 IA-05
1.06.3	Key Compromise Protocol — Level 2 Tested and Rehearsed Response Procedures	IR-03 CP-04 IR-08
1.06.4	Key Compromise Protocol — Level 3 Out-of-Band Communication and Advanced Compromise Controls	IR-08 CP-02 SC-08
2.01.1	Security Audits — Level 1 Vulnerability Scans and Annual Security Review	CA-02 CA-07 RA-05 SI-02
2.01.2	Security Audits — Level 2 Independent Penetration Testing	CA-08 RA-05 CA-02
2.01.3	Security Audits — Level 3 Full Independent CCSS Compliance Audit	CA-02 CA-07 CA-08 AU-06
2.02.1	Data Sanitization — Level 1 Documented Sanitization Policy for Key Material	MP-06 MP-07 SI-12
2.02.2	Data Sanitization — Level 2 Verified Destruction with Evidence	MP-06 AU-10 CA-09
2.02.3	Data Sanitization — Level 3 Third-Party Verified Destruction	MP-06 CA-02 AU-10
2.03.1	Proof of Reserve — Level 1 Internal Reserve Verification and Reconciliation	CA-02 AU-06 AU-11
2.03.2	Proof of Reserve — Level 2 Independent Third-Party Reserve Attestation	CA-02 CA-08 AU-06
2.04.1	Audit Logs — Level 1 Logging Policy and Key Management Event Logging	AU-01 AU-02 AU-03 AU-09 AU-12
2.04.2	Audit Logs — Level 2 Tamper-Evident Log Storage and Alert Generation	AU-09 AU-10 AU-06 SI-04 IR-06
2.04.3	Audit Logs — Level 3 One-Year Retention, SIEM Integration, and Blockchain Event Monitoring	AU-11 AU-06 SI-04 AU-09