Cisco Announces Cloud Controls Framework Is Now Available to Public

The Cisco CCF helps save resources by enabling organizations to achieve cloud security certifications more efficiently.

May 5, 2022

4 Min Read
Dark Reading logo in a gray background | Dark Reading

SAN JOSE, Calif., May 5, 2022 — Today, Cisco is pleased to release the Cisco Cloud Controls Framework (CCF) to the public. The Cisco CCF is a comprehensive set of international and national security compliance and certification requirements, aggregated in one framework. It empowers teams to make sure cloud products and services meet security and privacy requirements thanks to a simplified rationalized compliance and risk management strategy, saving significant resources.

Meeting the fast-evolving requirements for security certifications and standards across the globe is becoming increasingly important, but also extremely challenging, and resource- and time-intensive for Cloud-based software providers.

“The Cisco CCF is central to our company’s security compliance strategy. By making it available for public use, we are helping ease compliance strain and enable smoother market access and scalability for the cloud community,” explains Prasant Vadlamudi, Cisco’s Senior Director for Global Cloud Compliance. “By sharing our CCF with customers and peers, we also continue to support our commitment to transparency and accountability that are foundational to Cisco’s DNA.”

The CCF is the foundational methodology for Cisco to accelerate certification achievements across our cloud offerings and establish a strong security baseline. It is the result of years of standards research to certify SaaS products for multiple standards for repeatable practices and efficiencies. The CCF offers a structured, “build-once-use-many” approach for achieving the broadest range of international, national, and regional certifications.

With this framework, organizations can define, implement, and demonstrate controls that are foundational to security and privacy certifications consistently across SaaS portfolios, such as SOC 2, ISO 27001: 2013, ISO 27701, ISO 27017, ISO 22301, ISO 27018, Germany’s BSI C5, FedRAMP Tailored for the US public sector, the Spanish ENS, Japan’s ISMAP, PCI DSS v3.2.1, the EU Cloud Code of Conduct, and Australia’s IRAP*.

“Customer demand for global SaaS security certifications is constantly expanding, as are the security risks we all face. As the complexity of market demand grows, SaaS providers need an efficient way to simplify and streamline efforts to attain security certifications. Our experience has helped us define a common set of building blocks that are repeatable across developed products. Tailoring additional blocks for specific regional or topical certifications ensures the CCF is sensitive to the needs and expectations of regulators and customers across different geographies and sectors,” says Vadlamudi.

The CCF comes with guidance on how to implement these controls and the audit artifacts needed to demonstrate controls operating effectiveness. Cisco will regularly update the CCF as regulations evolve and new frameworks are integrated into our compliance processes.

Additional Resources:

*SOC 2® - SOC for Service Organizations: Trust Services Criteria; ISO IEC 27001:2013 - Information technology — Security techniques — Information security management systems — Requirements; ISO/IEC 27017:2015 - Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services; ISO/IEC 27018:2019 - Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors; ISO/IEC 27701:2019 - Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines; ISO 22301:2019 - Security and resilience — Business continuity management systems — Requirements; Federal Risk and Authorization Management Program (FedRAMP LI-SAAS/Tailored); Esquema Nacional de Seguridad (ENS); Infosec Registered Assessors Program (IRAP December 2020); Payment Card Industry Data Security Standard (PCI-DSS v3.2.1); Information System Security Management and Assessment Program (ISMAP); Cloud Computing Compliance Controls Catalogue (C5); EU Cloud Code of Conduct (CoC); Third Party Cybersecurity Compliance Certificate (CCC)

About Cisco

Cisco (NASDAQ: CSCO) is the worldwide leader in technology that powers the Internet. Cisco inspires new possibilities by reimagining your applications, securing your data, transforming your infrastructure, and empowering your teams for a global and inclusive future. Discover more on The Newsroom and follow us on Twitter.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company.


Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights