| ID | Title | Objective | Control Family | Threat Mappings | Guideline Mappings | Assessment Requirements |
|---|---|---|---|---|---|---|
| CCC.Core.CN01 | Encrypt Data for Transmission | Ensure that all communications are encrypted in transit to protect data integrity and confidentiality. | Encryption | 1 | 4 | 5 |
| CCC.Core.CN02 | Encrypt Data for Storage | Ensure that all data stored is encrypted at rest using strong encryption algorithms. | Encryption | 1 | 4 | 1 |
| CCC.Core.CN03 | Implement Multi-factor Authentication (MFA) for Access | Ensure that all sensitive activities require two or more identity factors during authentication to prevent unauthorized access. | Access Control | 1 | 1 | 4 |
| CCC.Core.CN04 | Log All Access and Changes | Ensure that all access attempts are logged to maintain a detailed audit trail for security and compliance purposes. | Observability | 1 | 1 | 3 |
| CCC.Core.CN05 | Prevent Access from Untrusted Entities | Ensure that secure access controls enforce the principle of least privilege to restrict access to authorized entities from explicitly trusted sources only. | Access Control | 1 | 5 | 6 |
| CCC.Core.CN06 | Restrict Deployments to Trust Perimeter | Ensure that the service and its child resources are only deployed on infrastructure in locations that are explicitly included within a defined trust perimeter. | Data Resilience | 1 | 1 | 2 |
| CCC.Core.CN07 | Alert on Unusual Enumeration Activity | Ensure that logs and associated alerts are generated when unusual enumeration activity is detected that may indicate reconnaissance activities. | Observability | 1 | 2 | 2 |
| CCC.Core.CN08 | Replicate Data to Multiple Locations | Ensure that data is replicated across multiple physical locations to protect against data loss due to hardware failures, natural disasters, or other catastrophic events. | Data Resilience | 1 | 3 | 2 |
| CCC.Core.CN09 | Ensure Integrity of Access Logs | Ensure that access logs are always recorded to an external location that cannot be manipulated from the context of the service(s) it contains logs for. | Observability | 3 | 3 | 3 |
| CCC.Core.CN10 | Restrict Data Replication to Trust Perimeter | Ensure that data is only replicated on infrastructure in locations that are explicitly included within a defined trust perimeter. | Data Resilience | 1 | 2 | 1 |
| CCC.Core.CN11 | Protect Encryption Keys | Ensure that encryption keys are managed securely by enforcing the use of approved algorithms, regular key rotation, and customer-managed encryption keys (CMEKs). | Encryption | 1 | 3 | 6 |
| CCC.Core.CN13 | Minimize Lifetime of Encryption and Authentication Certificates | Ensure that encryption and authentication certificates have a limited lifetime to reduce the risk of compromise and ensure the use of up-to-date security practices. | Encryption | 1 | 0 | 3 |
| CCC.Core.CN14 | Maintain Recent Backups | Ensure that all backups used for disaster recovery are recent and subject to a retention policy that limits deletion. | Data Resilience | 1 | 0 | 3 |
| CCC.Core.CN15 | Validate Alert and Event Publication Configuration | Ensure that alert and event publication settings cannot be changed to suppress security-relevant notifications without authorization. | Observability | 2 | 0 | 2 |
| CCC.Core.CN16 | Protect Runtime Metrics from Unauthorized Access | Ensure that operational metrics for the service or a child resource cannot be read or modified by unauthorized principals. | Observability | 1 | 0 | 2 |
| CCC.Core.CN17 | Restrict Access to State-Change Events | Ensure that state-change events for the service or a child resource cannot be read by unauthorized principals. | Observability | 1 | 0 | 1 |
| CCC.Core.CN18 | Prevent Unauthorized Modification of Resource Tags | Ensure that resource tags on the service or a child resource cannot be altered in ways that bypass organizational policy or cost controls. | Resource Management | 1 | 0 | 2 |
| CCC.Core.CN19 | Restrict Snapshot and Replica Access | Ensure that backup snapshots, replicas, and cross-region copies of the service or a child resource are not more accessible than the primary resource. | Data Resilience | 1 | 0 | 2 |
Core / Ccc
Controls
Version: