← Frameworks / CCSS v9.0 / Control Mappings

CryptoCurrency Security Standard (CCSS) v9.0

Industry de facto standard for cryptocurrency exchange and custodian security. 47 control objectives across 10 security aspects covering key/seed generation, wallet creation, key storage, key usage, key compromise protocol, keyholder grant/revoke, third-party audits, data sanitization, proof of reserve, and log auditing. Three certification levels (Level 1-3) with increasing rigour. Published by the CryptoCurrency Certification Consortium (C4).

Controls: 67

Total Mappings: 165

Publisher: CryptoCurrency Certification Consortium (C4) Version: 9.0 (2024)

CCSS v9.0 → SP 800-53 SP 800-53 → CCSS v9.0 Coverage Analysis

AC (6) AT (1) AU (8) CA (4) CM (5) CP (5) IA (3) IR (5) MP (3) PE (8) PL (1) PM (2) PS (3) RA (1) SA (2) SC (5) SI (5)

AC Access Control

Control	Name	CCSS v9.0 References
AC-02	Account Management	1.04.11.04.21.06.2
AC-03	Access Enforcement	1.03.51.05.1
AC-04	Information Flow Enforcement	1.05.4
AC-05	Separation Of Duties	1.02.21.04.31.05.3
AC-06	Least Privilege	1.03.51.04.31.05.11.05.3
AC-17	Remote Access	1.03.5

AT Awareness and Training

Control	Name	CCSS v9.0 References
AT-03	Security Training	1.04.4

AU Audit and Accountability

Control	Name	CCSS v9.0 References
AU-01	Audit And Accountability Policy And Procedures	2.04.1
AU-02	Auditable Events	1.05.22.04.1
AU-03	Content Of Audit Records	1.05.22.04.1
AU-06	Audit Monitoring, Analysis, And Reporting	1.02.82.01.32.03.12.03.22.04.22.04.3
AU-09	Protection Of Audit Information	1.04.51.05.22.04.12.04.22.04.3
AU-10	Non-Repudiation	1.01.71.04.51.05.11.05.22.02.22.02.32.04.2
AU-11	Audit Record Retention	2.03.12.04.3
AU-12	Audit Record Generation	1.04.51.05.22.04.1

CA Security Assessment and Authorization

Control	Name	CCSS v9.0 References
CA-02	Security Assessments	1.01.62.01.12.01.22.01.32.02.32.03.12.03.2
CA-07	Continuous Monitoring	2.01.12.01.3
CA-08	Penetration Testing	1.02.72.01.22.01.32.03.2
CA-09	Internal System Connections	1.01.52.02.2

CM Configuration Management

Control	Name	CCSS v9.0 References
CM-03	Configuration Change Control	1.01.31.02.6
CM-05	Access Restrictions For Change	1.01.3
CM-06	Configuration Settings	1.02.6
CM-07	Least Functionality	1.02.11.05.4
CM-08	Information System Component Inventory	1.02.31.04.5

CP Contingency Planning

Control	Name	CCSS v9.0 References
CP-02	Contingency Plan	1.06.11.06.4
CP-04	Contingency Plan Testing And Exercises	1.06.3
CP-06	Alternate Storage Site	1.03.4
CP-09	Information System Backup	1.03.21.03.31.03.41.03.7
CP-10	Information System Recovery And Reconstitution	1.03.2

IA Identification and Authentication

Control	Name	CCSS v9.0 References
IA-02	User Identification And Authentication	1.03.51.04.11.04.31.05.11.05.3
IA-05	Authenticator Management	1.04.11.04.21.06.2
IA-12	Identity Proofing	1.03.51.04.4

IR Incident Response

Control	Name	CCSS v9.0 References
IR-01	Incident Response Policy And Procedures	1.06.1
IR-03	Incident Response Testing And Exercises	1.06.3
IR-05	Incident Monitoring	1.02.8
IR-06	Incident Reporting	1.06.22.04.2
IR-08	Incident Response Plan	1.06.11.06.31.06.4

MP Media Protection

Control	Name	CCSS v9.0 References
MP-05	Media Transport	1.01.4
MP-06	Media Sanitization And Disposal	2.02.12.02.22.02.3
MP-07	Media Use	2.02.1

PE Physical and Environmental Protection

Control	Name	CCSS v9.0 References
PE-02	Physical Access Authorizations	1.01.11.01.71.03.6
PE-03	Physical Access Control	1.01.11.01.71.03.61.05.5
PE-06	Monitoring Physical Access	1.01.1
PE-09	Power Equipment And Power Cabling	1.03.31.03.7
PE-10	Emergency Shutoff	1.03.3
PE-13	Fire Protection	1.03.3
PE-14	Temperature And Humidity Controls	1.03.31.03.7
PE-18	Location Of Information System Components	1.03.4

PL Planning

Control	Name	CCSS v9.0 References
PL-01	Security Planning Policy And Procedures	1.01.51.02.5

PM Program Management

Control	Name	CCSS v9.0 References
PM-05	System Inventory	1.02.3
PM-09	Risk Management Strategy	1.02.5

PS Personnel Security

Control	Name	CCSS v9.0 References
PS-03	Personnel Screening	1.04.4
PS-04	Personnel Termination	1.04.11.04.21.06.2
PS-05	Personnel Transfer	1.04.2

RA Risk Assessment

Control	Name	CCSS v9.0 References
RA-05	Vulnerability Scanning	2.01.12.01.2

SA System and Services Acquisition

Control	Name	CCSS v9.0 References
SA-11	Developer Security Testing	1.02.7
SA-15	Development Process, Standards, and Tools	1.02.7

SC System and Communications Protection

Control	Name	CCSS v9.0 References
SC-08	Transmission Integrity	1.01.41.06.4
SC-12	Cryptographic Key Establishment And Management	1.01.11.01.21.01.41.01.51.01.61.01.71.02.11.02.21.02.31.02.41.02.51.02.61.03.11.03.21.03.61.05.51.06.1
SC-13	Use Of Cryptography	1.01.21.01.61.02.11.02.21.03.1
SC-17	Public Key Infrastructure Certificates	1.02.4
SC-28	Protection of Information at Rest	1.01.11.01.41.03.11.03.61.05.5

SI System and Information Integrity

Control	Name	CCSS v9.0 References
SI-02	Flaw Remediation	2.01.1
SI-03	Malicious Code Protection	1.01.31.05.4
SI-04	Information System Monitoring Tools And Techniques	1.02.82.04.22.04.3
SI-07	Software And Information Integrity	1.01.31.02.4
SI-12	Information Output Handling And Retention	2.02.1