Cloud Computing Compliance Controls Catalog (C5)
Cloud Computing Compliance Controls Catalog (C5) is a German Government-backed attestation scheme introduced in Germany by the Federal Office for Information Security (BSI) to help organizations demonstrate operational security against common cyber-attacks when using cloud services within the context of the German Government's "Security Recommendations for Cloud Providers".
The C5 attestation can be used by AWS customers and their compliance advisors to understand security controls implemented by AWS to meet the C5 requirements as they move their workloads to the cloud. C5 adds the regulatory defined IT-Security level equivalent to the IT-Grundschutz with the addition of cloud specific controls.
C5 includes additional control requirements relating to data location, service provisioning, place of jurisdiction, existing certifications, information disclosure obligations, and a full-service description. Using this information, customers can evaluate how legal regulations (i.e. data privacy), their own policies, or the threat environment relate to their use of cloud computing services.
What is C5?
C5 (Cloud Computing Compliance Controls Catalogue) is the “cloud computing IT-Security” standard in Germany. Designed and released by the BSI in February 2016, the C5 control set offers additional assurance to customers in Germany as they move their complex and regulated workloads to Cloud Computing Service providers such as AWS. C5 covers the following international standards:
- ISO/IEC 27001:2013 (ISO - International Organization for Standardization)
- CSA Cloud Controls Matrix 3.01 (CSA - Cloud Security Alliance)
- AICPA Trust Service Principles Criteria 2014 (AICPA - American Institute of Certified Public Accountants)
- ANSSI Référentiel Secure Cloud 2.0 (Draft) (ANSSI - Agence nationale de la sécurité des systèmes d'information)
- IDW ERS FAIT 5 04.11.201 (draft of a statement on accounting: "Grundsätze ordnungsmäßiger Buchführung bei Auslagerung von rechnungslegungsrelevanten Dienstleistungen einschließlich Cloud Computing" ["Generally accepted accounting principles for the outsourcing of accounting-related services including cloud computing"], 4 November, 2014 Version)
- BSI IT-Grundschutz Catalogues, 14th Version 2014
- BSI SaaS Sicherheitsprofile 2014 [BSI SaaS Security Profiles 2014]
What are the customer benefits of this standard?
AWS has completed its 2020 assessment against the C5 information security and compliance program and the C5 report is available to download in AWS Artifact. AWS’s 2021 C5 attestation report will be available in late 2021.
The C5 report provides our European customers with an independent third-party attestation on the suitability of the design and operational effectiveness of our controls to meet the C5 basic and additional criteria. Specifically, in Germany customers are used to looking for cloud services which are assessed against the C5 criteria. C5 provides customers with a framework documenting an equivalent IT Security level to the IT-Grundschutz covering all IT-Security aspects for Cloud Computing. For federal authorities, a C5 attestation is a basic requirement in the procurement process.
Which AWS Regions are in scope for C5?
AWS regions in scope for C5 include Frankfurt, Ireland, London, Paris, Milan, Stockholm and Singapore, as well as Edge locations in Germany, Ireland, England, France and Singapore.
Which services are in scope?
Who created the C5 standard?
Germany’s national cybersecurity authority Bundesamt für Sicherheit in der Informationstechnik (BSI) developed the C5 standard in 2016. The BSI reworked and updated the C5 catalogue in 2019. A new version (C5:2020) was finalised in January 2020. The BSI strongly recommends the application of C5:2020 for audits with assessment periods ending at or after 15 February 2021. The BSI defines the IT-Security requirements for all governmental systems, and most German companies align their IT-Security strategy with BSI standards.
What is the difference between C5 and IT-Grundschutz of the BSI?
IT-Grundschutz is a standard for establishing and maintaining appropriate protection of the information of an institution. The IT-Grundschutz Catalogues describe safeguards for typical business processes, IT systems, and applications and addresses the protection of an enterprise’s own information. C5 provides guidance on cloud service provider (CSP) offerings.
How will AWS support me in receiving the C5 attestation for my SaaS and PaaS applications?
C5 is intended primarily for professional cloud service providers, their auditors, and customers of the cloud service providers. It defines which requirements (also referred to as controls) the cloud providers have to comply with.
In November 2016, AWS was the first Cloud Service Provider in Germany to receive the C5 attestation at the infrastructure level. Customers in Germany and other European countries can use AWS’s attestation report to help them meet local security requirements of the C5 framework. AWS’s C5 attestation lays the foundation for them to achieve their own C5 attestation for their cloud applications from their auditor. Specifically, customers have the opportunity to go for their own C5 attestation without having the need to include the physical security of data centers or manage the infrastructure part of the cloud in scope of their individual audit. Applications deployed as Software as a Service (SaaS) and Platform as a Service (PaaS) can also be assessed against the C5 framework requirements. AWS’s support helps you to show your customers that you are effectively implementing the BSI standard level of IT security at all layers.
Does this standard have an international impact?
BSI has aligned this work with ANSSI and their upcoming SecNumCloud Label. The C5 standard has been influenced by and, in turn, has influenced the SecNumCloud standard in France, with the clear goal to have the option for mutual recognition under a common label called ESCloud. Also, the draft version of the European Union Agency for Cybersecurity (ENISA)’s European Union Cybersecurity Certification Scheme for Cloud Services (EUCS) draws significantly from C5’s security standard.
What is the difference between a certification and an attestation?
A certification is issued by an accredited specialized company and often lasts between one and three years. An attestation can be received during a compliance audit or an accounting audit by qualified personnel. An attestation focuses more on the continuous implementation aspect, which means that the re-audit cycle is much shorter – down to 6 months. According to ISAE 3000 / 3402, the audit process delivers evidence of appropriateness and effectiveness over a past range of time. A certification is just a snapshot in time.