PS Product SecurityKnowledge Base

☁️ Cloud Security Frameworks and Standards — Practical Map

Bottom line: no single framework covers everything. Use NIST CSF 2.0 to organize cyber risk management, CSA CCM to map cloud control expectations and shared responsibility, CIS for secure baseline configurations, PCI DSS / HIPAA / FedRAMP when the business context requires them, and ISO 27001 / 27017 / 27018 when you need an auditable management-system and cloud/privacy framing.

Why this page exists

Security programs often mix together very different things:

  • broad risk-management frameworks;
  • cloud-specific control catalogs;
  • sector regulations;
  • certification or attestation programs;
  • platform hardening baselines.

That makes implementation messy.

This page is here to answer a simpler question:

Which framework should shape the conversation, and which document should drive the actual control implementation?

Quick classification

Category Typical examples Best use
Risk-management framework NIST CSF 2.0 common language for risk, priorities, and outcome mapping
Cloud control framework CSA CCM, ISO/IEC 27017 cloud responsibility model, control expectations, audit mapping
Baseline configuration guide CIS Controls, CIS Benchmarks concrete secure defaults and review checklists
Sector / legal requirement HIPAA, GLBA, DFARS/CMMC, NERC CIP mandatory obligations tied to industry or contract context
Market trust / customer assurance SOC 2, ISO/IEC 27001 external trust, procurement, assurance, and governance language
U.S. federal cloud program FedRAMP, FISMA government cloud authorization and ongoing monitoring

The most useful frameworks in practice

NIST CSF 2.0

Use NIST CSF 2.0 when you need the simplest top-level structure for communicating cyber risk across executives, platform teams, engineering, and audit. NIST describes CSF 2.0 as a taxonomy of high-level cybersecurity outcomes for organizations of any size or sector, and the current version explicitly includes the Govern function alongside Identify, Protect, Detect, Respond, and Recover.

Good fit:

  • executive communication;
  • program design;
  • quarterly reporting and improvement profiles;
  • mapping technical work to risk-management language.

Not enough on its own for:

  • exact cloud service configuration;
  • deep product-specific secure-SDLC practices;
  • direct assessor evidence without a deeper control set.

CSA Cloud Controls Matrix (CCM)

Use CSA CCM when the conversation is specifically about cloud controls and shared responsibility. CSA's current Cloud Controls Matrix and CAIQ v4.1 package describes the CCM as 207 controls across 17 security domains. Some older CSA landing text still shows 197 control objectives, so use the v4.1 package and guidance documents as the more current reference point. In practice, CCM is designed to support systematic cloud assessments and map responsibilities across actors in the cloud supply chain.

Good fit:

  • cloud program control mapping;
  • vendor / platform assessment;
  • connecting engineering evidence to cloud-specific assurance requirements;
  • shared-responsibility modeling;
  • multi-standard crosswalks.

Particularly useful when:

  • your environment spans SaaS, PaaS, and IaaS;
  • you want one cloud-specific overlay that complements NIST or ISO;
  • you need to talk about responsibility boundaries, not only generic controls.

CIS Controls and CIS Benchmarks

Use CIS Controls and CIS Benchmarks when you need implementation-ready baselines. Aqua’s framework summary calls out CIS as the place many teams go for secure cloud configuration guidance around IAM, data protection, and activity logging.

Good fit:

  • hardening baselines;
  • review checklists for cloud accounts, hosts, Docker, and Kubernetes;
  • drift detection and audit-friendly configuration reviews.

Weakness:

  • CIS is not your whole program model; it is where many teams get the exact baseline checks.

ISO/IEC 27001, 27017, and 27018

Use ISO/IEC 27001 when you need a management-system lens and external assurance vocabulary. Use ISO/IEC 27017 for cloud-specific control guidance and ISO/IEC 27018 when public-cloud privacy and PII handling matter.

Mimecast’s cloud standards overview is useful here because it separates these clearly:

  • 27017 for cloud-specific control allocation and shared responsibility;
  • 27018 for public-cloud protection of personally identifiable information;
  • 27001 for the broader ISMS model.

Good fit:

  • customer trust and procurement conversations;
  • governance, policy, and audit cadence;
  • privacy-aware cloud operating models.

PCI DSS

Use PCI DSS only when payment account data is in scope or when your architecture can materially impact cardholder data protection. The PCI Security Standards Council defines PCI DSS as a baseline of technical and operational requirements to protect payment account data.

Good fit:

  • checkout, payment, tokenization, and adjacent services;
  • security segmentation discussions;
  • encryption, access control, logging, and vulnerability-management evidence.

Weakness:

  • do not apply PCI language to every service unless cardholder-data scope really exists; otherwise you create unnecessary friction.

HIPAA Security Rule

Use HIPAA Security Rule when electronic protected health information (ePHI) is involved. HHS describes the Security Rule as establishing national standards and requiring administrative, physical, and technical safeguards for ePHI.

Good fit:

  • healthcare products and BAA-driven design reviews;
  • encryption, logging, access control, incident response, and workforce training evidence;
  • cloud service reviews when PHI handling is involved.

FedRAMP and FISMA

Use FedRAMP when you are targeting U.S. federal cloud customers. FedRAMP defines itself as the standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. Use FISMA as the broader federal information-security law context; for cloud, it often shows up through NIST controls, federal agency expectations, and ongoing monitoring obligations.

Good fit:

  • federal market entry;
  • cloud security package preparation;
  • continuous monitoring and significant-change governance;
  • evidence production with recurring cadence.

Other names you will still hear

These still matter, but usually as overlays rather than the primary engineering frame:

  • SOC 2 — strong market-trust / procurement shorthand, especially in SaaS;
  • MITRE ATT&CK / ATT&CK Cloud — not a compliance framework, but excellent for threat-informed testing and control validation;
  • GDPR / CCPA / state privacy laws — privacy and breach obligations that shape what data you collect, store, expose, and report.

NIST family quick notes

If someone says “we should align to NIST,” clarify which NIST document they mean:

NIST reference Best use Why it matters in this KB
CSF 2.0 enterprise cyber risk framing outcome language for leadership, profiles, and prioritization
SP 800-53 / 53A control catalog + assessment procedures stronger control and assurance vocabulary for regulated or high-formality environments
SP 800-171 protecting CUI in nonfederal systems contractor / federal-adjacent product and platform contexts
SP 800-61 incident response guidance response plans, tabletop structure, and post-incident discipline
SP 800-190 application container security container risk framing and baseline control discussions

The practical takeaway is simple: CSF tells you how to talk about risk, while the SP family usually tells you how to structure controls, assessments, or a specific technical domain.

A practical selection pattern

If you are building a cloud product

Use:

  • NIST CSF 2.0 for program language;
  • CSA CCM for cloud-control mapping;
  • CIS for hardening baselines;
  • sector overlays only if your customer/data context requires them.

If you are building regulated healthcare software

Use:

  • NIST CSF 2.0 or ISO 27001 for governance;
  • HIPAA Security Rule for required safeguards;
  • cloud overlays such as CSA CCM or ISO 27017 for service model clarity.

If you are targeting U.S. federal cloud

Use:

  • FedRAMP as the market entry program;
  • NIST 800-53 / 53A / 137 style control and assessment language in the evidence model;
  • strong change management and continuous monitoring discipline from day one.

How to map this into the KB

Need Better starting page
Broad program framing DevOpsSec Foundations — Shift Left, Small Batches, and Compliance as Code
CSA CCM domain walkthrough CSA Cloud Controls Matrix (CCM) — Practical Guide
Standards-to-evidence translation Compliance-to-Engineering Evidence Pass
Product-security maturity language Product Security Maturity, Scale, and Business Translation
Delivery evidence and change governance GitLab Release Evidence
Cloud hardening and practical controls Infrastructure and Cloud Security
Container and Kubernetes baselines Kubernetes Security Tooling Map and Standards

What not to do

  • do not choose a framework only because customers recognize the logo;
  • do not treat a control catalog as if it were a secure-SDLC roadmap;
  • do not confuse “cloud-specific” with “implementation-ready”; you often still need vendor-native docs and internal standards;
  • do not force every product team into every regime when the data, market, and contract scope do not justify it.

External references

Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.