CLD-09: Geolocation Requirements for Processing, Storage and Service Locations
Mechanisms exist to control the location of cloud processing/storage based on business requirements that includes statutory, regulatory and contractual obligations.
Control Question: Does the organization control the location of cloud processing/storage based on business requirements that includes statutory, regulatory and contractual obligations?
General (10)
| Framework | Mapping Values |
|---|---|
| AICPA TSC 2017:2022 (used for SOC 2) (source) | CC2.1-POF9 |
| CSA CCM 4 | DSP-19 UEM-12 UEM-12 |
| GovRAMP High | SA-09(05) |
| ISO 27002 2022 | 5.23 |
| ISO 27017 2015 | 6.1.3 |
| NIST 800-53 R4 | SA-9(5) |
| NIST 800-53 R5 (source) | SA-9(5) SA-9(8) |
| NIST 800-53 R5 (NOC) (source) | SA-9(5) SA-9(8) |
| NIST 800-161 R1 | SA-9(5) |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | CLD-09 |
US (11)
| Framework | Mapping Values |
|---|---|
| US CMS MARS-E 2.0 | SA-9(5) |
| US DoD Zero Trust Execution Roadmap | 4.7.4 |
| US FedRAMP R4 | SA-9(5) |
| US FedRAMP R4 (moderate) | SA-9(5) |
| US FedRAMP R4 (high) | SA-9(5) |
| US FedRAMP R5 (source) | SA-9(5) |
| US FedRAMP R5 (moderate) (source) | SA-9(5) |
| US FedRAMP R5 (high) (source) | SA-9(5) |
| US HIPAA HICP Large Practice | 4.L.A |
| US IRS 1075 | 2.C.7 SA-9(5) SA-9(8) |
| US - TX TX-RAMP Level 2 | SA-9(5) |
EMEA (6)
| Framework | Mapping Values |
|---|---|
| EMEA Germany C5 2020 | PI-02 PSS-12 |
| EMEA Kenya DPA 2019 | 25(h) |
| EMEA Qatar PDPPL | 15 |
| EMEA Saudi Arabia CSCC-1 2019 | 4-2-1-1 |
| EMEA Saudi Arabia ECC-1 2018 | 4-1-3-2 4-2-3-3 |
| EMEA Saudi Arabia SACS-002 | TPC-30 |
APAC (6)
| Framework | Mapping Values |
|---|---|
| APAC Australian Privacy Principles | APP 8 |
| APAC Australia ISM June 2024 | ISM-1572 |
| APAC China Privacy Law | 38 39 40 |
| APAC India SEBI CSCRF | PR.DS.S2 |
| APAC Japan APPI | 24(1) |
| APAC New Zealand NZISM 3.6 | 22.1.22.C.01 22.1.22.C.02 22.1.22.C.03 22.1.22.C.04 22.1.22.C.05 22.1.22.C.06 23.4.11.C.01 23.4.11.C.02 |
Americas (3)
| Framework | Mapping Values |
|---|---|
| Americas Argentina Reg 132-2018 | 12.1 12.2 |
| Americas Brazil LGPD | 33 34 |
| Americas Uruguay | 23 |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to control the location of cloud processing/storage based on business requirements that includes statutory, regulatory and contractual obligations.
Level 1 — Performed Informally
Cloud Security (CLD) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Cloud-based technologies are governed no differently from on-premise network assets (e.g., cloud-based technology is viewed as an extension of the corporate network).
- A Shared Responsibility Matrix (SRM), or similar Customer Responsibility Matrix (CRM), is documented for each Cloud Service Providers (CSPs) instance that takes into account differences between Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) methodologies.
Level 2 — Planned & Tracked
Cloud Security (CLD) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for cloud security management. o Use an informal process to govern cloud-specific cybersecurity and data privacy-specific tools.
- Cloud security management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
- IT/cybersecurity personnel:
- A Shared Responsibility Matrix (SRM), or similar Customer Responsibility Matrix (CRM), is documented for each Cloud Service Providers (CSPs) instance that takes into account differences between Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) methodologies.
- IT personnel have a documented architecture for cloud-based technologies to support cybersecurity and data protection requirements.
- Cybersecurity and data privacy requirements are identified and documented for cloud-specific sensitive/regulated data processing, storing and/ or transmitting, including restrictions on data processing and storage locations.
Level 3 — Well Defined
Cloud Security (CLD) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Ensure the cloud security architecture supports the organization's technology strategy to securely design, configure and maintain cloud employments. o Ensure multi-tenant CSP assets (physical and virtual) are designed and governed such that provider and customer (tenant) user access is appropriately segmented from other tenant users. o Ensure CSPs use secure protocols for the import, export and management of data in cloud-based services. o Implement a dedicated subnet to host security-specific technologies on all cloud instances, where technically feasible. o Governs changes to cloud-based systems, applications and services to ensure their stability, reliability and predictability. o Reviews processes to identify and prevent use of unapproved CSPs.
- Roles and associated responsibilities for governing cloud instances, including provisioning, maintaining and deprovisioning, are formally assigned.
- A Shared Responsibility Matrix (SRM), or similar Customer Responsibility Matrix (CRM), is documented for each Cloud Service Providers (CSPs) instance that takes into account differences between Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) methodologies.
- IT architects, in conjunction with cybersecurity architects:
- A Change Advisory Board (CAB), or similar function:
- A dedicated IT infrastructure team, or similar function, enables the implementation of cloud management controls to ensure cloud instances are both secure and compliant, leveraging industry-recognized secure practices that are CC|P-specific.
- Cybersecurity and data privacy requirements are identified and documented for each CSP instance to address sensitive/regulated data processing, storing and/ or transmitting and provide restrictions on data processing and storage locations.
- A Data Protection Impact Assessment (DPIA) is used to help ensure the protection of sensitive/regulated data processed, stored or transmitted on external systems.
Level 4 — Quantitatively Controlled
Cloud Security (CLD) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
- Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
- Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
- Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
- Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
- Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving
Cloud Security (CLD) efforts are “world-class” capabilities that leverage predictive analysis (e.g., machine learning, AI, etc.). In addition to CMM Level 4 criteria, CMM Level 5 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions.
- Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes.
Assessment Objectives
- CLD-09_A01 locations where information processing and data storage is/are to be restricted are defined.
- CLD-09_A02 requirements or conditions for restricting the location of information processing, information storage or information services are defined.
- CLD-09_A03 based on requirements, information processing, information storage or information services is/are restricted to locations.
- CLD-09_A04 the geographic location of information processing and data storage is restricted to facilities located within the legal jurisdictional boundary of the United States.
Evidence Requirements
- E-AST-06 Asset Inventories - Cloud Service Provider (CSP)
-
Documented evidence of an inventory of the organization's cloud-based services (e.g., SaaS, IaaS, PaaS, etc.).
Asset Management - E-AST-23 Geolocation Inventory
-
Documented evidence of designated internal and third-party facilities where organizational data is stored, transmitted and/or processed.
Asset Management
Technology Recommendations
Micro/Small
- Data Protection Impact Assessment (DPIA)
- Cybersecurity Supply Chain Risk Management (C-SCRM) program
Small
- Data Protection Impact Assessment (DPIA)
- Cybersecurity Supply Chain Risk Management (C-SCRM) program
Medium
- Data Protection Impact Assessment (DPIA)
- Cybersecurity Supply Chain Risk Management (C-SCRM) program
Large
- Data Protection Impact Assessment (DPIA)
- Cybersecurity Supply Chain Risk Management (C-SCRM) program
Enterprise
- Data Protection Impact Assessment (DPIA)
- Cybersecurity Supply Chain Risk Management (C-SCRM) program