Source: Cloud Security Alliance
Author: unknown
URL: https://cloudsecurityalliance.org/articles/ccm-v4-1-transition-timeline
ONE SENTENCE SUMMARY:
CSA’s CCM v4.1 updates cloud security controls and artifacts, adds transition timelines for STAR programs, and maintains CCSK unchanged.
MAIN POINTS:
- Released January 28, CCM v4.1 replaces CCM v4.0.13 with expanded coverage.
- Introduced 11 new control specifications across DCS, LOG, SEF, STA, and TVM.
- Removed one control from the Identity and Access Management (IAM) domain.
- Enhanced existing control objectives through minor and major revisions for stronger risk alignment.
- Refined control language to improve clarity, consistency, interpretability, and auditability.
- Updated CAIQ v4.1 includes 283 questions aligned to CCM v4.1 controls.
- Published refreshed Implementation and Auditing Guidelines alongside the CCM v4.1 release.
- Updated CCM-Lite v4.1 provides baseline controls for all cloud service providers.
- Released CAIQ-Lite for simplified, efficient vendor assessments based on the full CAIQ.
- Collaborating to update and expand mappings from CCM v4.0.13 to CCM v4.1.
TAKEAWAYS:
- Organizations should plan migration now because STAR programs will ultimately require CCM/CAIQ v4.1.
- STAR Registry accepts both versions until December 2027, then only v4.1 for new submissions.
- Existing STAR registry services get a two-year transition window after December 2027.
- STAR Level 2 attestation and certification will adopt v4.1, despite temporary dual acceptance.
- CCSK curriculum and exam remain unaffected by the CCM v4.1 release for now.