What is CCI?
The Control Correlation Identifier (CCI) provides a standard
identifier and description for each of the singular, actionable statements that
comprise an IA control or IA best practice. CCI bridges the gap between
high-level policy expressions and low-level technical implementations. CCI
allows a security requirement that is expressed in a high-level policy framework
to be decomposed and explicitly associated with the low-level security
setting(s) that must be assessed to determine compliance with the objectives of
that specific security control. This ability to trace security requirements from
their origin (e.g., regulations, IA frameworks) to their low-level
implementation allows organizations to readily demonstrate compliance to
multiple IA compliance frameworks. CCI also provides a means to objectively
rollup and compare related compliance assessment results across disparate
technologies.
What is the status of CCI?
A draft version of the CCI List conforming to CCI version 2 is now available.
This list contains CCIs derived from NIST SP 800-53.
How can I get involved?
We encourage participation from the members of the Information Security
Community in the CCI efforts by providing feedback on the CCI list, disa.stig_spt@mail.mil. Comments may also be provided using the CCI Comment Matrix.