diff --git a/_posts/2024-09-23-intro-finos-ccc.md b/_posts/2024-09-23-intro-finos-ccc.md index 1a2409aaeb..64c6dcfcce 100644 --- a/_posts/2024-09-23-intro-finos-ccc.md +++ b/_posts/2024-09-23-intro-finos-ccc.md @@ -75,9 +75,9 @@ The project, seeded by Citi and approved in July by the FINOS Governing Board, h The Common Cloud Controls (CCC) project encompasses multiple layers. A key goal of this initiative is to establish a unified taxonomy for the services offered by various cloud service providers. For instance, AWS provides virtual computing services under the name Elastic Compute Cloud (EC2), while Azure refers to it as Virtual Machine (VM), and Google offers a similar service called Google Compute Engine (GCE). Despite the different names, these services provide comparable functionalities. Regardless of the cloud provider, it’s essential to have controls in place. These controls are tied to specific infrastructure components, which must be identified and classified using cloud-agnostic terminology before controls can be designed for better clarity. Hence identifying these common features is the foundational step in creating the CCC standard. -Threats in the cloud are reasonably well-understood. The [MITRE ATT&CK](https://attack.mitre.org/) framework is a globally recognized knowledge base used to understand and analyze the behavior of cyber adversaries. It provides a structured way to describe and categorize the tactics, techniques, and procedures (TTPs) that attackers use to infiltrate and compromise systems. CCC also aims to create a mapping of threats found in Mitre framework with the common features identified by the cloud services taxonomy in their controls. +Threats in the cloud are reasonably well-understood. The [MITRE ATT&CK framework is a globally recognized knowledge base](https://attack.mitre.org/) used to understand and analyze the behavior of cyber adversaries. It provides a structured way to describe and categorize the tactics, techniques, and procedures (TTPs) that attackers use to infiltrate and compromise systems. CCC also aims to create a mapping of threats found in Mitre framework with the common features identified by the cloud services taxonomy in their controls. -FINOS CCC project uses [OSCAL](https://pages.nist.gov/OSCAL/) (Open Security Controls Assessment Language) developed by NIST (National Institute of Standards and Technology) as their control language. OSCAL utilizes a machine-readable format for defining controls, which facilitates automated assessments, reporting, automated generation of compliance documentation and much more. +FINOS CCC project [uses OSCAL as its control language](https://pages.nist.gov/OSCAL/). OSCAL, standing for Open Security Controls Assessment Language, was developed by NIST (National Institute of Standards and Technology), and utilizes a machine-readable format for defining controls. It facilitates automated assessments, reporting, automated generation of compliance documentation and much more. The project also aims to validate controls through a series of tests. If you are aware of the controls required in your public cloud, you can use the tests provided in the CCC standard to verify whether those controls are properly implemented.