What It Is
A cloud-native controls framework — 197 control objectives across 17 domains covering the security concerns specific to cloud computing:
- IAM — Identity & Access Management
- DSP — Data Security & Privacy
- DCS — Datacenter Security
- CEK — Cryptography, Encryption & Key Management
- BCR — Business Continuity & Operational Resilience
- GRC — Governance, Risk & Compliance
- TVM — Threat & Vulnerability Management
- AIS — Application & Interface Security
- CCC — Change Control & Configuration Management
- HRS — Human Resources Security
- IVS — Infrastructure & Virtualization Security
- IPY — Interoperability & Portability
- LOG — Logging & Monitoring
- SEF — Security Incident Management
- STA — Supply Chain Management, Transparency & Accountability
- UEM — Universal Endpoint Management
- A&A — Audit & Assurance
Integrated with the Consensus Assessments Initiative Questionnaire (CAIQ) — a standardized questionnaire for cloud vendor security assessment.
Why It Matters
CCM is purpose-built for cloud, not adapted from traditional IT controls. It explicitly maps shared responsibility between cloud provider and customer — who owns what control, and in which deployment model (IaaS, PaaS, SaaS). It also cross-maps to ISO 27001, NIST 800-53, PCI DSS, and others, making it a Rosetta Stone for organizations that need to demonstrate compliance across multiple frameworks simultaneously.
When to Use It
Cloud security assessments, vendor due diligence, and cloud posture management. If you’re assessing a cloud-native environment, CCM provides the cloud-specific controls that generic frameworks like NIST 800-53 don’t address directly.
The Offensive Angle
CCM’s shared responsibility mapping reveals where security gaps hide. In IaaS, the customer owns everything above the hypervisor. In SaaS, the provider owns almost everything. The seams between these responsibility boundaries are where misconfigurations live — and where attackers look first. Cloud pentesters who understand CCM’s responsibility model know exactly which controls to test on the customer side vs. the provider side.
Pairs Well With
- NIST CSF — Strategic framework that CCM’s controls operationalize for cloud
- OWASP ASVS — Application-level requirements alongside CCM’s infrastructure controls
- NIST 800-115 — Governance wrapper for cloud security assessments