← Frameworks / CSA CCM v4 / Control Mappings

CSA Cloud Controls Matrix v4

De facto cloud security standard with 197 control objectives across 17 domains. Used for STAR certification and cloud provider assessments. Maps to ISO 27001, NIST 800-53, PCI DSS, SOC 2, and CIS Controls.

Controls: 144
Total Mappings: 486
Publisher: Cloud Security Alliance (CSA) Version: 4.0
CSA CCM v4 → SP 800-53 SP 800-53 → CSA CCM v4 Coverage Analysis
AC (11) AT (3) AU (10) CA (6) CM (10) CP (9) IA (6) IR (8) MP (5) PE (16) PL (4) PM (8) PS (6) PT (6) RA (7) SA (7) SC (11) SI (7) SR (4)

AC Access Control

Control Name CSA CCM v4 References
AC-01 Access Control Policies and Procedures
DSP-01IAM-01
AC-02 Account Management
IAM-03IAM-05IAM-06IAM-07IAM-08IAM-10IAM-11IAM-13LOG-12
AC-03 Access Enforcement
DSP-17IAM-16
AC-04 Information Flow Enforcement
DSP-05DSP-10IVS-03IVS-06UEM-11
AC-05 Separation Of Duties
IAM-04IAM-09
AC-06 Least Privilege
IAM-04IAM-05IAM-08IAM-09IAM-10IAM-11IAM-16LOG-04
AC-11 Session Lock
HRS-03UEM-06
AC-16 Automated Labeling
DSP-04DSP-06IAM-16
AC-17 Remote Access
HRS-04
AC-19 Access Control For Portable And Mobile Devices
UEM-01UEM-13
AC-20 Use Of External Information Systems
HRS-02UEM-14

AT Awareness and Training

Control Name CSA CCM v4 References
AT-01 Security Awareness And Training Policy And Procedures
HRS-11
AT-02 Security Awareness
HRS-11HRS-12HRS-13
AT-03 Security Training
DCS-11HRS-11HRS-12

AU Audit and Accountability

Control Name CSA CCM v4 References
AU-01 Audit And Accountability Policy And Procedures
AA-01LOG-01
AU-02 Auditable Events
CEK-09LOG-01LOG-07LOG-08LOG-10LOG-11LOG-12
AU-03 Content Of Audit Records
LOG-07LOG-08LOG-11LOG-12
AU-05 Response To Audit Processing Failures
LOG-13
AU-06 Audit Monitoring, Analysis, And Reporting
AA-05LOG-03LOG-04LOG-05LOG-13SEF-06
AU-08 Time Stamps
LOG-06
AU-09 Protection Of Audit Information
IAM-12LOG-02LOG-04LOG-09
AU-10 Non-Repudiation
IAM-12
AU-11 Audit Record Retention
LOG-02LOG-09
AU-12 Audit Record Generation
LOG-11

CA Security Assessment and Authorization

Control Name CSA CCM v4 References
CA-01 Certification, Accreditation, And Security Assessment Policies And Procedures
AA-01
CA-02 Security Assessments
AA-01AA-02AA-03AA-04AA-05AA-06CEK-09GRC-07STA-05STA-06STA-11STA-12STA-13
CA-05 Plan Of Action And Milestones
AA-04AA-05AA-06CCC-08GRC-04
CA-07 Continuous Monitoring
AA-02AIS-03LOG-03LOG-10SEF-05STA-11TVM-09TVM-10
CA-08 Penetration Testing
AA-02AIS-05TVM-06
CA-09 Internal System Connections
AA-04DSP-05IVS-08

CM Configuration Management

Control Name CSA CCM v4 References
CM-01 Configuration Management Policy And Procedures
CCC-01IVS-01UEM-01
CM-02 Baseline Configuration
AIS-06CCC-06CCC-07IVS-04IVS-05UEM-03UEM-05UEM-07
CM-03 Configuration Change Control
AIS-06CCC-01CCC-02CCC-03CCC-04CCC-05CCC-07CCC-08CCC-09CEK-05IVS-07UEM-05
CM-04 Monitoring Configuration Changes
CCC-02DSP-15IVS-05
CM-05 Access Restrictions For Change
CCC-03CCC-04
CM-06 Configuration Settings
CCC-06IVS-04UEM-05UEM-07
CM-07 Least Functionality
UEM-02UEM-10
CM-08 Information System Component Inventory
CEK-21DCS-05DCS-06DCS-08DSP-03STA-07UEM-04UEM-12
CM-09 Configuration Management Plan
CCC-01CCC-03
CM-11 User-Installed Software
UEM-02

CP Contingency Planning

Control Name CSA CCM v4 References
CP-01 Contingency Planning Policy And Procedures
BCR-01
CP-02 Contingency Plan
BCR-01BCR-02BCR-03BCR-04BCR-05BCR-07BCR-09IVS-02
CP-03 Contingency Training
BCR-04BCR-06
CP-04 Contingency Plan Testing And Exercises
BCR-04BCR-06BCR-10
CP-06 Alternate Storage Site
BCR-08
CP-07 Alternate Processing Site
BCR-03BCR-11
CP-08 Telecommunications Services
BCR-03BCR-07BCR-11
CP-09 Information System Backup
BCR-08CCC-09CEK-18CEK-20
CP-10 Information System Recovery And Reconstitution
BCR-09CCC-09

IA Identification and Authentication

Control Name CSA CCM v4 References
IA-01 Identification And Authentication Policy And Procedures
IAM-01IAM-02
IA-02 User Identification And Authentication
IAM-10IAM-13IAM-14IAM-15
IA-03 Device Identification And Authentication
DCS-08
IA-04 Identifier Management
IAM-03IAM-06IAM-13
IA-05 Authenticator Management
IAM-02IAM-06IAM-14IAM-15
IA-08 Identification and Authentication (Non-Organizational Users)
IAM-14

IR Incident Response

Control Name CSA CCM v4 References
IR-01 Incident Response Policy And Procedures
BCR-09CEK-19SEF-01SEF-02SEF-08
IR-02 Incident Response Training
DCS-11SEF-03
IR-03 Incident Response Testing And Exercises
BCR-10SEF-04
IR-04 Incident Handling
LOG-05SEF-02SEF-03SEF-05SEF-06
IR-05 Incident Monitoring
SEF-06
IR-06 Incident Reporting
BCR-07CEK-19DSP-18SEF-07SEF-08
IR-07 Incident Response Assistance
SEF-07
IR-08 Incident Response Plan
SEF-01SEF-03

MP Media Protection

Control Name CSA CCM v4 References
MP-01 Media Protection Policy And Procedures
DCS-04
MP-02 Media Access
HRS-03
MP-04 Media Storage
DCS-05
MP-05 Media Transport
DCS-02DCS-04
MP-06 Media Sanitization And Disposal
CEK-14DCS-01DSP-02DSP-16UEM-13

PE Physical and Environmental Protection

Control Name CSA CCM v4 References
PE-01 Physical And Environmental Protection Policy And Procedures
DCS-01DCS-02DCS-03
PE-02 Physical Access Authorizations
DCS-03DCS-09
PE-03 Physical Access Control
DCS-03DCS-07DCS-09
PE-04 Access Control For Transmission Medium
DCS-12
PE-05 Access Control For Display Medium
DCS-06DCS-15
PE-06 Monitoring Physical Access
DCS-07DCS-10DCS-11
PE-08 Access Records
DCS-10
PE-09 Power Equipment And Power Cabling
DCS-12DCS-14
PE-10 Emergency Shutoff
DCS-14
PE-11 Emergency Power
BCR-11DCS-14
PE-13 Fire Protection
DCS-13
PE-14 Temperature And Humidity Controls
DCS-13
PE-15 Water Damage Protection
DCS-13
PE-16 Delivery And Removal
DCS-02
PE-17 Alternate Work Site
HRS-04
PE-18 Location Of Information System Components
DCS-15

PL Planning

Control Name CSA CCM v4 References
PL-01 Security Planning Policy And Procedures
DSP-01GRC-01GRC-03
PL-02 System Security Plan
BCR-05CCC-08CEK-02DSP-05GRC-04GRC-06GRC-07HRS-09IVS-08
PL-04 Rules Of Behavior
HRS-02HRS-08HRS-13
PL-07 Concept of Operations
BCR-05

PM Program Management

Control Name CSA CCM v4 References
PM-01 Information Security Program Plan
GRC-01GRC-03GRC-05GRC-06GRC-07SEF-02STA-01STA-13
PM-02 Information Security Program Leadership Role
GRC-01GRC-05GRC-06HRS-09STA-04
PM-03 Information Security and Privacy Resources
GRC-05
PM-05 System Inventory
DSP-03DSP-06
PM-06 Measures of Performance
AIS-03SEF-05TVM-09TVM-10
PM-09 Risk Management Strategy
GRC-02
PM-15 Security and Privacy Groups and Associations
GRC-08SEF-08
PM-16 Threat Awareness Program
GRC-08

PS Personnel Security

Control Name CSA CCM v4 References
PS-01 Personnel Security Policy And Procedures
CEK-02HRS-01HRS-07HRS-09
PS-03 Personnel Screening
HRS-01
PS-04 Personnel Termination
HRS-05HRS-06IAM-07
PS-05 Personnel Transfer
HRS-06IAM-07
PS-06 Access Agreements
HRS-07HRS-08HRS-10HRS-13
PS-09 Position Descriptions
HRS-10

PT Personally Identifiable Information Processing and Transparency

Control Name CSA CCM v4 References
PT-01 Policy and Procedures
DSP-01DSP-06DSP-07DSP-08DSP-09DSP-13DSP-14DSP-16DSP-18DSP-19HRS-12
PT-02 Authority to Process Personally Identifiable Information
DSP-08DSP-12
PT-03 Personally Identifiable Information Processing Purposes
DSP-03DSP-08DSP-12DSP-15
PT-04 Consent
DSP-11
PT-05 Privacy Notice
DSP-11
PT-06 System of Records Notice
DSP-11

RA Risk Assessment

Control Name CSA CCM v4 References
RA-01 Risk Assessment Policy And Procedures
GRC-02TVM-01
RA-02 Security Categorization
DCS-05DSP-04
RA-03 Risk Assessment
AA-03BCR-02CEK-06CEK-07DSP-09GRC-02STA-08STA-14TVM-08
RA-05 Vulnerability Scanning
AIS-05AIS-07TVM-01TVM-03TVM-05TVM-06TVM-07TVM-08TVM-09TVM-10
RA-07 Risk Response
AA-03AA-06CEK-07
RA-08 Privacy Impact Assessments
DSP-09
RA-09 Criticality Analysis
BCR-02

SA System and Services Acquisition

Control Name CSA CCM v4 References
SA-01 System And Services Acquisition Policy And Procedures
AIS-01IPY-01IVS-01STA-01
SA-03 Life Cycle Support
AIS-04AIS-06IVS-07
SA-04 Acquisitions
CCC-05DSP-13IPY-01IPY-02IPY-03IPY-04IVS-07STA-03STA-09STA-10UEM-03
SA-08 Security Engineering Principles
AIS-01AIS-02AIS-04DSP-07
SA-09 External Information System Services
DSP-13DSP-14DSP-19IPY-02IPY-03STA-06STA-09STA-12UEM-14
SA-11 Developer Security Testing
AIS-02AIS-03AIS-04AIS-05AIS-07CCC-02TVM-05
SA-15 Development Process, Standards, and Tools
AIS-02AIS-04

SC System and Communications Protection

Control Name CSA CCM v4 References
SC-01 System And Communications Protection Policy And Procedures
CEK-01IVS-01
SC-03 Security Function Isolation
IVS-06
SC-05 Denial Of Service Protection
IVS-02IVS-09
SC-06 Resource Priority
IVS-02
SC-07 Boundary Protection
IVS-03IVS-05IVS-06IVS-08IVS-09UEM-10UEM-11
SC-08 Transmission Integrity
CEK-03DSP-10DSP-17IPY-03IVS-03
SC-12 Cryptographic Key Establishment And Management
CEK-01CEK-02CEK-08CEK-09CEK-10CEK-11CEK-12CEK-13CEK-14CEK-15CEK-16CEK-17CEK-18CEK-19CEK-20CEK-21
SC-13 Use Of Cryptography
CEK-01CEK-03CEK-04CEK-05CEK-06CEK-07CEK-10DSP-10LOG-10UEM-08
SC-17 Public Key Infrastructure Certificates
CEK-13
SC-28 Protection of Information at Rest
CEK-03DSP-07DSP-17UEM-08
SC-42 Sensor Capability and Data
UEM-01

SI System and Information Integrity

Control Name CSA CCM v4 References
SI-01 System And Information Integrity Policy And Procedures
AIS-01TVM-01TVM-02
SI-02 Flaw Remediation
AIS-07IVS-04TVM-03TVM-04UEM-07
SI-03 Malicious Code Protection
TVM-02TVM-04UEM-09
SI-04 Information System Monitoring Tools And Techniques
IVS-09LOG-03LOG-05LOG-13UEM-11
SI-05 Security Alerts And Advisories
TVM-07
SI-07 Software And Information Integrity
CCC-04CCC-07
SI-12 Information Output Handling And Retention
DSP-02DSP-16

SR Supply Chain Risk Management

Control Name CSA CCM v4 References
SR-01 Policy and Procedures
STA-01STA-02STA-03STA-04STA-05STA-06STA-07STA-08STA-10STA-12STA-13STA-14UEM-14
SR-02 Supply Chain Risk Management Plan
STA-02STA-07STA-08
SR-03 Supply Chain Controls and Processes
STA-02STA-08STA-14
SR-04 Provenance
TVM-05