This blog was published on February 19, 2026 with the latest information regarding the release of CCM v4.1.
On January 28, CSA released version 4.1 of the Cloud Controls Matrix (CCM), succeeding CCM v4.0.13. This latest version strengthens the framework by incorporating requirements arising from emerging cloud technologies, introducing new and updated controls, and enhancing interoperability and alignment with other leading standards and regulatory frameworks.
CCM v4.1 reflects CSA’s continued commitment to ensuring that the framework remains current, comprehensive, and responsive to the evolving cloud risk landscape. For additional details on the updates and their impact, please refer to the official release blog.
Here we will discuss the transition timeline for when organizations using the CCM in other CSA programs will need to start using version 4.1. We will also answer questions around how the new version will affect:
CCM v4.1 introduces 11 new control specifications across critical domains, including Datacenter Security (DCS), Logging and Monitoring (LOG), Security Incident Management (SEF), Supply Chain Management (STA), and Threat & Vulnerability Management (TVM). One control within the Identity and Access Management (IAM) domain was removed.
The update also includes further enhancements to existing control objectives, with both minor and major revisions to expand the CCM’s depth and precision, improve coverage, introduce new requirements, and strengthen alignment with the evolving risk landscape. Control language has been refined to improve clarity and consistency, making interpretation and auditing more straightforward.
In addition, supporting components have been updated. The Consensus Assessments Initiative Questionnaire (CAIQ) v4.1 now includes 283 questions aligned with the latest controls. Corresponding updates have also been made to the Implementation and Auditing Guidelines, CCM-Lite, and CAIQ-Lite.
The CCM Implementation Guidelines were originally released with CCM v4 and have been updated to align with CCM v4.1. As a core component of the framework, the Implementation Guidelines explain how to use the CCM and support users in understanding and effectively implementing its controls. Please note that implementation within specific technological environments (e.g., AWS, Azure, GCP) is beyond the scope of the Guidelines. For platform-specific discussions and peer collaboration, users are encouraged to participate in the dedicated SCC WG calls discussion. The updated Implementation Guidelines are available for download alongside the CCM v4.1 release.
The CCM Auditing Guidelines, also introduced with CCM v4, have likewise been updated to reflect the changes incorporated in CCM v4.1. These Guidelines provide direction on how to approach the auditing and assessment of CCM controls and support both auditors and auditees in evaluating proper control adoption. The updated Auditing Guidelines are available together with the CCM v4.1 standard.
CCM Lite has already been updated to version 4.1, in alignment with the CCM v4.1 release.
CCM Lite is a streamlined version of the CCM that includes the foundational controls every cloud service provider (CSP) should implement, regardless of delivery model, size, or operational complexity. These controls serve as the baseline for establishing a strong security posture.
Yes, CAIQ-Lite is also available. Derived from the full Consensus Assessments Initiative Questionnaire (CAIQ), it provides a simplified approach to vendor assessments, enabling more efficient and focused engagement between cloud providers and cybersecurity professionals.
CSA and the SCC WG are currently collaborating with industry partners to update the mappings originally published with CCM v4.0.13 and align them with the changes introduced in CCM v4.1.
CSA will also continue expanding the mapping portfolio by incorporating additional mappings into CCM v4.1 over time.
Start accepting both V4.1 and V4.0 submissions for both STAR levels 1 and 2 to CSA Registry.
Only STAR Level 1 submissions based on version 4.1 will be accepted. (All surveillance audits and recertifications must be carried out using CAIQ v4.1)
Only STAR Level 2 submissions based on version 4.1 will be accepted.
(All CBs have transitioned and ready to deliver STAR level 2 based on CCMv4.1)
CCMv4.0.x and CAIQv4.0.x will be withdrawn. (Withdrawn means it is no longer relevant. No further work will be done to maintain or update a withdrawn standard. Withdrawn standards are therefore still available in the CSA archives for reference only.)
CCM v4.1 and CAIQ v4.1 are available for use, and the STAR Registry is ready to accept Level 1 and Level 2 submissions based on CCM v4.1.
Until December 2027 we'll accept both versions of the CAIQ and CCM. After December 2027, all the new STAR submissions (i.e. those services that are joining the STAR Registry) shall be done using V4.1. The companies/services that were in the registry prior to v4.1 release, have a two year transition period to switch to the new version.
Yes, CCM v4.1 will be adopted as part of the STAR Level 2 program for both STAR Attestation and STAR Certification. While both versions are currently accepted, we strongly encourage organizations to adopt V4.1 as soon as possible.
For the time being the CCSK curriculum and exam will remain as is, and CCM v4.1 won't affect it in any way.
Share this content on your favorite social network today!
Monthly updates on all things CSA - research highlights, training, upcoming events, webinars, and recommended reading.
Monthly insights on new AI research, training, events, and happenings from CSA’s AI Safety Initiative.
Monthly insights on new Zero Trust research, training, events, and happenings from CSA's Zero Trust Advancement Center.
Quarterly updates on key programs (STAR, CCM, and CAR), for users interested in trust and assurance.
Quarterly insights on new research releases, open peer reviews, and industry surveys.
Subscribe to our newsletter for the latest expert trends and updates
We value your privacy. Our website uses analytics and advertising cookies to improve your browsing experience. Read our full Privacy Policy.
Analytics cookies, from Google Analytics and Microsoft Clarity help us analyze site usage to continuously improve our website.
Advertising cookies, enable Google to collect information to display content and ads tailored to your interests.
© 2009–2026 Cloud Security Alliance.
All rights reserved.