National Cybersecurity Authority Issues Cloud Cybersecurity Controls

The National Cybersecurity Authority (NCA) has issued the Cloud Cybersecurity Controls (CCC -1:2020) document as an extension to the application of its Essential Cybersecurity Controls 2018 (ECC 2018).

The CCC-1:2020 is intended to reduce cybersecurity risks for both cloud service providers and cloud customers.

It comes as part of efforts of the NCA, which is the competent authority to issue, monitor, and update cybersecurity policies and standards in the Kingdom, thereby enhancing the national cyberspace.

The document enables defining security requirements for cloud services to meet the security needs and increase the readiness level for all cloud services against cyber risks.

The CCC-1:2020 was developed after studying many cybersecurity standards, frameworks and controls that were developed by national and international organizations and entities, in addition to studying the best cybersecurity international practices and experiences.

The document consists of 37 main controls and 96 subcontrols for cloud service providers, as well as 18 main controls and 26 subcontrols for cloud service tenants, which are divided into 4 main domains. Furthermore, NCA has developed the cybersecurity cloud controls methodology and mapping annex document, which contains the design principles of the cybersecurity cloud controls, relation with other international standards, design methodology, main domains and subdomains structure, and a number of other explanatory sections.

NCA works with all the relevant organizations to implement these controls, thus enhancing the Kingdom’s cybersecurity to protect its vital interest, national security, critical infrastructure, high priority sectors and government services and activities. 

Saudi Gazette