Overview

• Published on September 24, SSCF v1.0 defines 36 configurable controls mapped to six domains derived from CSA’s CCM v4: CCC, DSP, IAM, IPY, LOG, and SEF.
• Identity and access management is prioritized, with mandatory support for multifactor authentication to counter a leading breach vector cited as 46% of SaaS incidents.
• The framework requires visibility and control over nonhuman identities such as API keys, bots, and AI agents, including identification details and programmatic revocation.
• SSCF complements SOC 2 and ISO 27001 by translating high-level requirements into customer-facing features like SSO enforcement, log delivery, configuration querying, audit roles, and incident contacts.
• CSA and contributors are developing implementation and auditing guidance next, with an assessment and certification scheme planned to measure control effectiveness.