← Frameworks / CSA AICM v1 / Control Mappings

CSA AI Controls Matrix v1.0.3

AI security standard extending CSA CCM with 243 control objectives across 18 domains including the new Model Security (MDS) domain. Covers AI-specific risks including adversarial ML, training data governance, model integrity, and responsible AI. Used alongside CCM for cloud AI assessments.

Controls: 144
Total Mappings: 621
Publisher: Cloud Security Alliance (CSA) Version: 1.0.3
CSA AICM v1 → SP 800-53 SP 800-53 → CSA AICM v1 Coverage Analysis
AC (11) AT (3) AU (10) CA (6) CM (10) CP (9) IA (6) IR (8) MP (5) PE (16) PL (4) PM (8) PS (6) PT (6) RA (7) SA (7) SC (11) SI (7) SR (4)

AC Access Control

Control Name CSA AICM v1 References
AC-01 Access Control Policies and Procedures
DSP-01IAM-01
AC-02 Account Management
IAM-03IAM-05IAM-06IAM-07IAM-08IAM-10IAM-11IAM-13IAM-17IAM-18LOG-12
AC-03 Access Enforcement
DSP-17IAM-16MDS-07
AC-04 Information Flow Enforcement
AIS-08DSP-05DSP-10DSP-22I&S-03I&S-06UEM-11
AC-05 Separation Of Duties
IAM-04IAM-09IAM-19
AC-06 Least Privilege
IAM-04IAM-05IAM-08IAM-09IAM-10IAM-11IAM-16IAM-18IAM-19LOG-04MDS-07
AC-11 Session Lock
HRS-03UEM-06
AC-16 Automated Labeling
DSP-04DSP-06IAM-16
AC-17 Remote Access
HRS-04
AC-19 Access Control For Portable And Mobile Devices
UEM-01UEM-13
AC-20 Use Of External Information Systems
HRS-02UEM-14

AT Awareness and Training

Control Name CSA AICM v1 References
AT-01 Security Awareness And Training Policy And Procedures
GRC-13HRS-11HRS-15
AT-02 Security Awareness
HRS-11HRS-12HRS-13HRS-14
AT-03 Security Training
DCS-11HRS-11HRS-12HRS-14

AU Audit and Accountability

Control Name CSA AICM v1 References
AU-01 Audit And Accountability Policy And Procedures
A&A-01LOG-01
AU-02 Auditable Events
CEK-09DSP-24LOG-01LOG-07LOG-08LOG-10LOG-11LOG-12LOG-14LOG-15
AU-03 Content Of Audit Records
LOG-07LOG-08LOG-11LOG-12LOG-15
AU-05 Response To Audit Processing Failures
LOG-13
AU-06 Audit Monitoring, Analysis, And Reporting
A&A-05AIS-12LOG-03LOG-04LOG-05LOG-13LOG-14MDS-05SEF-06
AU-08 Time Stamps
LOG-06
AU-09 Protection Of Audit Information
IAM-12LOG-02LOG-04LOG-09
AU-10 Non-Repudiation
IAM-12
AU-11 Audit Record Retention
LOG-02LOG-09
AU-12 Audit Record Generation
LOG-11

CA Security Assessment and Authorization

Control Name CSA AICM v1 References
CA-01 Certification, Accreditation, And Security Assessment Policies And Procedures
A&A-01
CA-02 Security Assessments
A&A-01A&A-02A&A-03A&A-04A&A-05A&A-06CEK-09GRC-07GRC-12STA-05STA-06STA-11STA-12STA-13
CA-05 Plan Of Action And Milestones
A&A-04A&A-05A&A-06CCC-08GRC-04
CA-07 Continuous Monitoring
A&A-02AIS-03AIS-12GRC-12GRC-15LOG-03LOG-10LOG-15MDS-05SEF-05STA-11TVM-09TVM-10TVM-13
CA-08 Penetration Testing
A&A-02AIS-05AIS-13MDS-03TVM-06TVM-12
CA-09 Internal System Connections
A&A-04DSP-05I&S-08

CM Configuration Management

Control Name CSA AICM v1 References
CM-01 Configuration Management Policy And Procedures
CCC-01I&S-01MDS-01UEM-01
CM-02 Baseline Configuration
AIS-06CCC-06CCC-07I&S-04I&S-05UEM-03UEM-05UEM-07
CM-03 Configuration Change Control
AIS-06AIS-09AIS-11CCC-01CCC-02CCC-03CCC-05CCC-07CCC-09CEK-05I&S-07MDS-04MDS-06MDS-11UEM-05
CM-04 Monitoring Configuration Changes
CCC-02DSP-15I&S-05
CM-05 Access Restrictions For Change
CCC-03CCC-04IAM-19MDS-04MDS-07
CM-06 Configuration Settings
CCC-06I&S-04UEM-05UEM-07
CM-07 Least Functionality
UEM-02UEM-10
CM-08 Information System Component Inventory
CEK-21DCS-05DCS-06DCS-08DSP-03MDS-02STA-07STA-15UEM-04UEM-12
CM-09 Configuration Management Plan
CCC-01CCC-03MDS-11
CM-11 User-Installed Software
UEM-02

CP Contingency Planning

Control Name CSA AICM v1 References
CP-01 Contingency Planning Policy And Procedures
BCR-01
CP-02 Contingency Plan
BCR-01BCR-02BCR-03BCR-04BCR-05BCR-07BCR-09I&S-02
CP-03 Contingency Training
BCR-04BCR-06
CP-04 Contingency Plan Testing And Exercises
BCR-04BCR-06BCR-10
CP-06 Alternate Storage Site
BCR-08
CP-07 Alternate Processing Site
BCR-03BCR-11
CP-08 Telecommunications Services
BCR-03BCR-07BCR-11
CP-09 Information System Backup
BCR-08CCC-09CEK-18CEK-20
CP-10 Information System Recovery And Reconstitution
BCR-09CCC-09

IA Identification and Authentication

Control Name CSA AICM v1 References
IA-01 Identification And Authentication Policy And Procedures
IAM-01IAM-02
IA-02 User Identification And Authentication
IAM-10IAM-13IAM-14IAM-15IAM-17
IA-03 Device Identification And Authentication
DCS-08IAM-18
IA-04 Identifier Management
IAM-03IAM-06IAM-13
IA-05 Authenticator Management
IAM-02IAM-06IAM-14IAM-15
IA-08 Identification and Authentication (Non-Organizational Users)
IAM-14

IR Incident Response

Control Name CSA AICM v1 References
IR-01 Incident Response Policy And Procedures
BCR-09CEK-19SEF-01SEF-02SEF-08SEF-09
IR-02 Incident Response Training
DCS-11SEF-03
IR-03 Incident Response Testing And Exercises
BCR-10SEF-04
IR-04 Incident Handling
LOG-05SEF-02SEF-03SEF-05SEF-06SEF-09
IR-05 Incident Monitoring
SEF-06
IR-06 Incident Reporting
BCR-07CEK-19DSP-18SEF-07SEF-08SEF-09
IR-07 Incident Response Assistance
SEF-07
IR-08 Incident Response Plan
SEF-01SEF-03

MP Media Protection

Control Name CSA AICM v1 References
MP-01 Media Protection Policy And Procedures
DCS-04
MP-02 Media Access
HRS-03
MP-04 Media Storage
DCS-05
MP-05 Media Transport
DCS-02DCS-04
MP-06 Media Sanitization And Disposal
CEK-14DCS-01DSP-02DSP-16UEM-13

PE Physical and Environmental Protection

Control Name CSA AICM v1 References
PE-01 Physical And Environmental Protection Policy And Procedures
DCS-01DCS-02DCS-03
PE-02 Physical Access Authorizations
DCS-03DCS-09
PE-03 Physical Access Control
DCS-03DCS-07DCS-09
PE-04 Access Control For Transmission Medium
DCS-12
PE-05 Access Control For Display Medium
DCS-06DCS-15
PE-06 Monitoring Physical Access
DCS-07DCS-10DCS-11
PE-08 Access Records
DCS-10
PE-09 Power Equipment And Power Cabling
DCS-12DCS-14
PE-10 Emergency Shutoff
DCS-14
PE-11 Emergency Power
BCR-11DCS-14
PE-13 Fire Protection
DCS-13
PE-14 Temperature And Humidity Controls
DCS-13
PE-15 Water Damage Protection
DCS-13
PE-16 Delivery And Removal
DCS-02
PE-17 Alternate Work Site
HRS-04
PE-18 Location Of Information System Components
DCS-15

PL Planning

Control Name CSA AICM v1 References
PL-01 Security Planning Policy And Procedures
DSP-01GRC-01GRC-03MDS-01
PL-02 System Security Plan
BCR-05CCC-08CEK-02DSP-05GRC-04GRC-06GRC-07HRS-09I&S-08
PL-04 Rules Of Behavior
HRS-02HRS-08HRS-13
PL-07 Concept of Operations
BCR-05

PM Program Management

Control Name CSA AICM v1 References
PM-01 Information Security Program Plan
GRC-01GRC-03GRC-05GRC-06GRC-07GRC-09GRC-10GRC-12GRC-14SEF-02STA-01STA-13
PM-02 Information Security Program Leadership Role
GRC-01GRC-05GRC-06GRC-10GRC-13HRS-09HRS-14HRS-15STA-04
PM-03 Information Security and Privacy Resources
GRC-05
PM-05 System Inventory
DSP-03DSP-06
PM-06 Measures of Performance
AIS-03SEF-05TVM-09TVM-10
PM-09 Risk Management Strategy
CCC-08GRC-02GRC-09GRC-10GRC-11GRC-14MDS-13
PM-15 Security and Privacy Groups and Associations
GRC-08GRC-15SEF-08
PM-16 Threat Awareness Program
GRC-08GRC-15

PS Personnel Security

Control Name CSA AICM v1 References
PS-01 Personnel Security Policy And Procedures
CEK-02GRC-13HRS-01HRS-07HRS-09HRS-15
PS-03 Personnel Screening
HRS-01
PS-04 Personnel Termination
HRS-05HRS-06IAM-07
PS-05 Personnel Transfer
HRS-06IAM-07
PS-06 Access Agreements
HRS-07HRS-08HRS-10HRS-13
PS-09 Position Descriptions
HRS-10

PT Personally Identifiable Information Processing and Transparency

Control Name CSA AICM v1 References
PT-01 Policy and Procedures
DSP-01DSP-06DSP-07DSP-08DSP-09DSP-13DSP-14DSP-16DSP-18DSP-19DSP-20DSP-21DSP-22DSP-23HRS-12MDS-09
PT-02 Authority to Process Personally Identifiable Information
DSP-08DSP-12
PT-03 Personally Identifiable Information Processing Purposes
DSP-03DSP-08DSP-12DSP-15DSP-20DSP-24MDS-09
PT-04 Consent
DSP-11DSP-23
PT-05 Privacy Notice
DSP-11
PT-06 System of Records Notice
DSP-11

RA Risk Assessment

Control Name CSA AICM v1 References
RA-01 Risk Assessment Policy And Procedures
GRC-02GRC-09GRC-11TVM-01
RA-02 Security Categorization
DCS-05DSP-04
RA-03 Risk Assessment
A&A-03BCR-02CEK-06CEK-07DSP-09DSP-21GRC-02GRC-11GRC-14MDS-12MDS-13STA-08STA-14TVM-08TVM-11
RA-05 Vulnerability Scanning
AIS-05AIS-07AIS-10MDS-03MDS-08TVM-01TVM-03TVM-05TVM-06TVM-07TVM-08TVM-09TVM-10TVM-11TVM-12TVM-13
RA-07 Risk Response
A&A-03A&A-06CEK-07
RA-08 Privacy Impact Assessments
DSP-09
RA-09 Criticality Analysis
BCR-02

SA System and Services Acquisition

Control Name CSA AICM v1 References
SA-01 System And Services Acquisition Policy And Procedures
AIS-01I&S-01IPY-01STA-01
SA-03 Life Cycle Support
AIS-04AIS-06AIS-11AIS-15I&S-07MDS-02MDS-04MDS-10MDS-11
SA-04 Acquisitions
CCC-05DSP-13I&S-07IPY-01IPY-02IPY-03IPY-04MDS-12STA-03STA-09STA-10STA-15UEM-03
SA-08 Security Engineering Principles
AIS-01AIS-02AIS-04AIS-08AIS-10AIS-14AIS-15DSP-07DSP-20MDS-01MDS-09MDS-10
SA-09 External Information System Services
DSP-13DSP-14DSP-19DSP-23IPY-02IPY-03MDS-12STA-06STA-09STA-12STA-16UEM-14
SA-11 Developer Security Testing
AIS-02AIS-03AIS-04AIS-05AIS-07AIS-09AIS-10AIS-13AIS-15CCC-02MDS-03MDS-08TVM-05TVM-12
SA-15 Development Process, Standards, and Tools
AIS-02AIS-04AIS-11MDS-10

SC System and Communications Protection

Control Name CSA AICM v1 References
SC-01 System And Communications Protection Policy And Procedures
CEK-01I&S-01
SC-03 Security Function Isolation
I&S-06
SC-05 Denial Of Service Protection
I&S-02I&S-09
SC-06 Resource Priority
I&S-02
SC-07 Boundary Protection
AIS-08I&S-03I&S-05I&S-06I&S-08I&S-09IAM-17UEM-10UEM-11
SC-08 Transmission Integrity
CEK-03DSP-10DSP-17I&S-03IPY-03
SC-12 Cryptographic Key Establishment And Management
CEK-01CEK-02CEK-08CEK-09CEK-10CEK-11CEK-12CEK-13CEK-14CEK-15CEK-16CEK-17CEK-18CEK-19CEK-20CEK-21
SC-13 Use Of Cryptography
AIS-14CEK-01CEK-03CEK-04CEK-05CEK-06CEK-07CEK-10DSP-10DSP-22LOG-10MDS-06UEM-08
SC-17 Public Key Infrastructure Certificates
CEK-13
SC-28 Protection of Information at Rest
CEK-03DSP-07DSP-17UEM-08
SC-42 Sensor Capability and Data
UEM-01

SI System and Information Integrity

Control Name CSA AICM v1 References
SI-01 System And Information Integrity Policy And Procedures
AIS-01MDS-13TVM-01TVM-02
SI-02 Flaw Remediation
I&S-04TVM-03TVM-04UEM-07
SI-03 Malicious Code Protection
TVM-02TVM-04UEM-09
SI-04 Information System Monitoring Tools And Techniques
AIS-12I&S-09LOG-03LOG-05LOG-13LOG-14MDS-05TVM-11TVM-13UEM-11
SI-05 Security Alerts And Advisories
TVM-07
SI-07 Software And Information Integrity
AIS-09AIS-13AIS-14CCC-04CCC-07MDS-06MDS-08
SI-12 Information Output Handling And Retention
DSP-02DSP-16DSP-21DSP-24

SR Supply Chain Risk Management

Control Name CSA AICM v1 References
SR-01 Policy and Procedures
STA-01STA-02STA-03STA-04STA-05STA-06STA-07STA-08STA-10STA-12STA-13STA-14STA-15STA-16UEM-14
SR-02 Supply Chain Risk Management Plan
STA-02STA-07STA-08STA-16
SR-03 Supply Chain Controls and Processes
STA-02STA-08STA-14
SR-04 Provenance
TVM-05