SAMMY UI is optimized for resolutions with a width 1024px and higher.
Cloud Controls Matrix
Browse Cloud Controls...
STA-04: SSRM Control Ownership
SSRM Control Ownership
STA-04: Is the shared ownership and applicability of all CSA CCM controls delineated according to the SSRM for the cloud service offering?
Cloud service implementations involve an SSRM between the CSP and the CSC, which varies from service to service depending on the cloud service model and the specific implementation. Accordingly, CSPs should provide comprehensive SSRM guidance to facilitate secure CSC service implementations.

Any CSP control responses should identify control applicability and ownership for their specific service.
a. Cloud service provider-owned: CSP is fully responsible.
b. Cloud service customer-owned: CSC is fully responsible.
c. Third-party outsourced: The CSP has fully outsourced this control to a third party (e.g., a supporting CSP), but the CSP is fully accountable to the CSC for the third party's performance from a supply chain perspective.
d. Shared CSP and CSC: Both the CSP and CSC have responsibilities (independent or dependent). If the CSP has partially outsourced control to a third party, that should be noted in the CSP implementation description.
e. Shared CSP and third party: The CSP has partially outsourced control to a third party (e.g., a supporting CSP). Hence, the CSP and the third party have responsibilities—but the CSC has no responsibilities. The CSP is fully accountable to the CSC for the third party's performance from a supply-chain perspective.
f. N/A: Not applicable to this specific cloud service offering (no SSRM responsibilities).

Cloud service providers should also describe the following for each control (as appropriate) for its service and the specific ownership classification:
g. Cloud service provider implementation description: How the CSP meets (or doesn't meet) the controls they are responsible for, wholly or partially. This should explain why N/A controls are not applicable for the specific service and describe the extent to which responsibility for particular controls is outsourced to third parties.
h. Cloud service customer responsibilities: A detailed description of CSC security responsibilities for the controls the customer is responsible for, wholly or partially, with references and external links (as appropriate).

The CSA's Consensus Assessments Initiative Questionnaire (CAIQ) should be used by CSPs to provide SSRM ownership and guidance to current and prospective CSCs. In cases where the CAIQ has multiple questions associated with a single control, CSPs should delineate SSRM ownership and describe how they meet their control requirements at the question level, aligned with the scope of the CSP CAIQ answer.
Control implemented
Not applicable - A “N/A” answer indicates that the portion of the control in question is out of scope of the assessment. The “SSRM control ownership” column is to be left blank (e.g., greyed out), and optionally the CSP may explain why it is the case (“CSP Implementation Description”).
No - A “No” answer indicates that the portion of the control in question is not implemented, while in scope of the assessment. The CSP has to assign the implementation responsibility of the control to the relevant party under column “SSRM control ownership”, and optionally elaborate on the “why” (has not been implemented), and “what” has to be done for its implementation by that party.
Yes - A “Yes” answer indicates that the portion of the control in question is implemented. The CSP indicates the responsible and accountable parties (SSRM control ownership), and optionally elaborates on the implementation “how-to” per relevant party CSP and/or CSC.
Control ownership
CSP-owned - The CSP is entirely responsible and accountable for the CCM control implementation.
CSC-owned - The Cloud Service Customer (CSC) is entirely responsible and accountable for the CCM control implementation.
Third-party - The third-party CSP in the supply chain (e.g., an IaaS provider) is responsible for CCM control implementation, while the CSP is fully accountable.
Shared CSP and CSC - Both the CSP and CSC share CCM control implementation responsibility and accountability.
Shared CSP and third party - Any CCM control implementation responsibility is shared between CSP and the third party, but the CSP remains fully accountable.
Description

Delineate the shared ownership and applicability of all CSA CCM controls according to the SSRM for the cloud service offering.