Cisco is pleased to release the Cisco Cloud Controls Framework (CCF) to the public. The Cisco CCF is a comprehensive set of international and national security compliance and certification requirements, aggregated in one framework. It empowers teams to make sure cloud products and services meet security and privacy requirements thanks to a simplified rationalized compliance and risk management strategy, saving significant resources.
Meeting the fast-evolving requirements for security certifications and standards across the globe is becoming increasingly important, but also extremely challenging, and resource- and time-intensive for Cloud-based software providers.
“The Cisco CCF is central to our company’s security compliance strategy. By making it available for public use, we are helping ease compliance strain and enable smoother market access and scalability for the cloud community,” explains Prasant Vadlamudi, Cisco’s Senior Director for Global Cloud Compliance. “By sharing our CCF with customers and peers, we also continue to support our commitment to transparency and accountability that are foundational to Cisco’s DNA.”
The CCF is the foundational methodology for Cisco to accelerate certification achievements across our cloud offerings and establish a strong security baseline. It is the result of years of standards research to certify SaaS products for multiple standards for repeatable practices and efficiencies. The CCF offers a structured, “build-once-use-many” approach for achieving the broadest range of international, national, and regional certifications.
With this framework, organizations can define, implement, and demonstrate controls that are foundational to security and privacy certifications consistently across SaaS portfolios, such as SOC 2, ISO 27001: 2013, ISO 27701, ISO 27017, ISO 22301, ISO 27018, Germany’s BSI C5, FedRAMP Tailored for the US public sector, the Spanish ENS, Japan’s ISMAP, PCI DSS v3.2.1, the EU Cloud Code of Conduct, and Australia’s IRAP*.
“Customer demand for global SaaS security certifications is constantly expanding, as are the security risks we all face. As the complexity of market demand grows, SaaS providers need an efficient way to simplify and streamline efforts to attain security certifications. Our experience has helped us define a common set of building blocks that are repeatable across developed products. Tailoring additional blocks for specific regional or topical certifications ensures the CCF is sensitive to the needs and expectations of regulators and customers across different geographies and sectors,” says Vadlamudi.
The CCF comes with guidance on how to implement these controls and the audit artifacts needed to demonstrate controls operating effectiveness. Cisco will regularly update the CCF as regulations evolve and new frameworks are integrated into our compliance processes.