Tuesday, February 7, 2012

Cloud Security Alliance: Consensus Assessment Initiative Questionnaire

Last year I reviewed the Cloud Security Alliance Consensus Assessment Initiative Questionnaire (CSA-CAIQ). I've posted the enhanced version of that effort which includes a database import tab on the CAC Google Site.

There are two reasons for this post. 
The first is that I'm reminded of the importance of context and seamless integration. When I reviewed the materials, I approached it from the singular perspective of the CSA-CAIQ spreadsheet contents, trusting full alignment with the associated Cloud Controls Matrix (CCM). The end result is slight and subtle misalignment between the intent of the controls and the questions used to determine compliance. This is one of the challenges with parallel efforts. This can and will be fixed in the coming months... that's not the point. The point - and Lession Learned - is trust but verify. I should have spot checked the questions to make sure they line up accurately with the intent of the control. Don't tell me you've never done this...

The second reason for this post is the fast pace of changing control requirements and the mild frustration of accurate mapping. I want to discuss a review I performed covering the alignment between FedRAMP and the CSA-Cloud Controls Matrix. Because of work I'm doing with Federal right now, I chose the FedRAMP baseline controls. Here is a list of differences between FedRAMP LOW, FedRAMP MOD, and the control alignment in the current version of the Cloud Controls Matrix. Note that the control alignment in the CSA-CCM is assumes FedRAMP MOD, which may or may not be appropriate for your organization.

Now there are two lessons. 
The first lesson ...to remember or learn... is how important it is to understand the standard, your data, your risk, and how to review the standard's source to know what controls apply to your situation. Know the difference between LOW and MOD. Barring required compliance mandates, the goal isn't to blindly implement controls. The goal is the implement controls commensurate to the value of the data.

The second lesson? Trust but verify. It was probably accurate when the matrix was posted... but things change. Standards evolve and finalize.

Missing Controls: 
These controls exist in FedRAMP MOD (and LOW*) baseline but do not exist in the CSA-CCM.

AC-7*; AC-10; SC-15*; SC-30; SC-32

Extra Controls: 
These controls exist in the CSA-CCM but do not exist in the FedRAMP MOD baseline. All of the controls in the LOW baseline exist in the MOD baseline... The MOD (moderate) baseline is the more restrictive set. Put differently, these are suggested in the CSA-CCM as required FedRAMP controls but they are not.

AT-5, PM-1, PM-5, CM-04, AU-13, PE-19, SC-28(1), MP-8, PM-9, PE-2(1), PM-2, PM-3, PM-4, PM-6, PM-7, PM-8, PM-10, PM-11, AC-18(3), AC-18(4), AC-18(5), SC-16, AC-21, AU-14, SC-24, SC-3, PL-2(2), SA-13, PE-14(1), PE-11(1), SC-18(4) 

[UPDATE]: The extended team is in the planning stages for CSA-CCM v1.3.