1. Home
  2. About
  3. Methodology
  4. CSA CCM Mapping Scope

The CSA CCM MAPPING SCOPE

Scope Overview

Scoping decisions for mapping the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) are documented below. These scoping decisions were used for control review and selection for mapping according to the Mapping Methodology.

General Scoping Decisions

Operational vs. Policy and Procedural Controls
This effort is focused on the technical and operational elements of the CSA CCM and did not take into account the management elements that are often focused on organization specific policies and procedures (e.g., -01 controls). This decision was made because management specific capabilities are policy-based, and the intent of this effort was focusing on technical and operation capabilities that correlate to ATT&CK mitigations, techniques, and sub-techniques.
Mitigation vs. Monitoring
Capabilities that may only monitor adversary behaviors are out of scope. The focus of this effort is on technical capabilities that mitigate adversary techniques and sub-techniques. Consideration is not given for the potential that an adversary might be dissuaded or change their tactics to try and avoid detection if they thought activity was being monitored.
Controls vs. Control Domain
This effort maps at the control level. Consideration was given to each control's cloud security domain grouping for context.
Implicit vs. Explicit Mitigation
This effort focuses on system-specific technical mitigations (e.g., block USB devices, perform data backups) and capabilities that support those mitigations rather than other, non-technical methods of mitigation (e.g., restrict physical access to systems, develop a backup policy).
Pre-compromise Mitigation
Those techniques only associated with the Pre-compromise Mitigation are excluded. These apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques, and are considered out of scope.

CSA CCM Control Scoping Decisions

The CSA CCM scoping decisions are captured below at the cloud security domain level along with our rationale for controls in those domains being in or out of scope. Each CCM domain defines a category and controls fall under those categories. Mappings are at the control level.

Cloud Security Domain In Scope Rationale
Audit and Assurance (A&A) No A&A controls are not applicable as they are designed for audit management, not for providing mitigations of specific threats.
Application and Interface Security (AIS) Yes AIS controls for mitigating risks to cloud landscapes during application design and development are in scope.
Business Continuity Management and Operational Resilience (BCR) Yes BCR control for data backup in scope. Controls for policy and procedural management are out of scope.
Change Control and Configuration Management (CCC) No CCC controls are not applicable as they provide policy and procedural management controls and are not mitigations for specific threats.
Cryptography, Encryption, and Key Management (CEK) Yes CEK control for providing cryptographic protection of data at-rest and in-transit is in scope. Policy and procedural management controls are out of scope.
Datacenter Security (DCS) Yes DCS controls related to data resiliency and authentication integrity are in scope. Controls for physical safeguarding of assets are out of scope.
Data Security and Privacy Lifecycle Management (DSP) Yes DSP controls for implementation of security over the data lifecycle are in scope. Controls for policy, procedure, and governance are out of scope.
Governance, Risk, and Compliance (GRC) No GRC controls are not applicable as they are composed of policy and procedural controls which are out of scope.
Human Resources (HRS) Yes HRS controls are not applicable as they are composed of policy and procedural management controls which are out of scope.
Identity and Access Management (IAM) Yes IAM controls for implementation of security principles for managing identities and access to security functions and data are in scope. The control for policy and procedure is out of scope.
Interoperability and Portability (IPY) Yes IPY controls for implementation of security controls for the safe and secure exchange of data are in scope. Controls for policy, procedure, and contractual obligations are out of scope.
Infrastructure Security (I&S) Yes I&S controls implementing measures to secure infrastructure and virtualization technologies are in scope. Controls for policy, procedure, and documentation are out of scope.
Logging and Monitoring (LOG) Yes LOG controls for implementing controls to provide security of logs and records are in scope. Controls for policy, procedure, and monitoring are out of scope.
Security Incident Management, E-Discovery, and Cloud Forensics (SEF) No SEF controls are for incident management and response, which are not applicable as they do not provide mitigation of threats.
Supply Chain Management, Transparency, and Accountability (STA) Yes STA controls providing mitigations for specific threats are in scope. Controls for policy, procedure, and documentation requirements are out of scope.
Threat and Vulnerability Management (TVM) Yes TVM controls for implementation of measures to mitigate security threats in cloud environments are in scope. Controls for policy, procedure, and reporting are out of scope.
Universal Endpoint Management (UEM) Yes UEM controls implementing security controls to mitigate risks associated with endpoints are in scope. Controls for policy, procedure, and documentation are out of scope.