GRC Store

Search / finos-ccc/ccc.mlde.cn / v2026.06-rc5

Release · v2026.06-rc5

FINOS-CCC/CCC.MLDE.CN Control Catalog

FINOS-CCC/CCC.MLDE.CN

Controls for Machine Learning Development Environment technologies, as defined by the FINOS Common Cloud Controls project.

Published by FINOS Common Cloud Controls

Install

OCI v1.1
$grcli unpack --repository finos-ccc/ccc.mlde.cn --tag v2026.06-rc5
Coordinate
oci.grc.store/finos-ccc/ccc.mlde.cn:v2026.06-rc5
Manifest digest
sha256:99ad040fd4df410ce15754e777e3862ad100410b233df6f2cff007a137aca62e

Provenance

1 layer
Digest Media type Size
9d2d6c304be5… application/vnd.gemara.artifact.v1+yaml 14.0 KiB
Bundle config blob 
{
  "bundle-version": "1.0",
  "gemara-version": "v1.2.0",
  "metadata": {
    "provenance": {
      "buildDefinition": {
        "buildType": "https://grc.store/grcli/buildtype/v0",
        "externalParameters": {
          "artifact": {
            "id": "CCC.MLDE.CN",
            "type": "ControlCatalog"
          },
          "target": {
            "registry": "oci.grc.store",
            "repository": "finos-ccc/ccc.mlde.cn",
            "tag": "v2026.06-rc5"
          }
        },
        "internalParameters": {
          "CI": "true",
          "GITHUB_ACTIONS": "true",
          "GITHUB_ACTOR": "eddie-knight",
          "GITHUB_REF": "refs/heads/main",
          "GITHUB_REPOSITORY": "eddie-knight/common-cloud-controls",
          "GITHUB_RUN_ATTEMPT": "1",
          "GITHUB_RUN_ID": "26771723499",
          "GITHUB_SHA": "a9503345caf59a144d8ab9b4bede212b393ca56a",
          "GITHUB_WORKFLOW": "Batch Release All Catalogs",
          "RUNNER_OS": "Linux"
        },
        "resolvedDependencies": [
          {
            "name": "artifacts/ai-ml/mlde/controls.yaml",
            "uri": "file://artifacts/ai-ml/mlde/controls.yaml",
            "digest": {
              "sha256": "9d2d6c304be5e876e7efc3b0cedc74626617019ad417e70ec338cbfb5c0e2689"
            }
          },
          {
            "name": "source",
            "uri": "git+https://github.com/eddie-knight/common-cloud-controls@a9503345caf59a144d8ab9b4bede212b393ca56a",
            "digest": {
              "gitCommit": "a9503345caf59a144d8ab9b4bede212b393ca56a"
            }
          }
        ]
      },
      "runDetails": {
        "builder": {
          "id": "https://github.com/eddie-knight/common-cloud-controls/actions/runs/26771723499",
          "version": {
            "go": "go1.25.0",
            "go-arch": "amd64",
            "go-os": "linux",
            "grcli": "v0.2.2"
          }
        },
        "metadata": {
          "invocationId": "26771723499-1",
          "startedOn": "2026-06-01T17:46:34.327834646Z",
          "finishedOn": "2026-06-01T17:46:34.463544859Z"
        },
        "byproducts": [
          {
            "name": "controls.yaml",
            "digest": {
              "sha256": "9d2d6c304be5e876e7efc3b0cedc74626617019ad417e70ec338cbfb5c0e2689"
            }
          }
        ]
      }
    }
  },
  "artifacts": [
    {
      "name": "controls.yaml",
      "type": "ControlCatalog",
      "id": "CCC.MLDE.CN",
      "role": "artifact"
    }
  ]
}

CCC Machine Learning Development Environment Controls

Controls for Machine Learning Development Environment technologies, as defined by the FINOS Common Cloud Controls project.

ID
CCC.MLDE.CN
Version
v2026.06-rc5
Gemara version
v1.2.0
Author
FINOS Common Cloud Controls

Access Control

The Access Control group covers entries related to authentication, authorization, and trust perimeter enforcement. This includes multi-factor authentication, least privilege access, network access rules, and prevention of unauthorized access or reconnaissance.

  1. CCC.MLDE.CN01 Define Access Mode for ML Development Environments

    Objective

    Ensure that access to Machine Learning Development Environment (MLDE) resources is strictly defined and controlled. Only authorized users with appropriate permissions can access these environments, mitigating the risk of unauthorized access, data leakage, or service disruption.

    Assessment requirements

    1. Verify that only authorized users can access MLDE resources, and that access modes are properly defined and enforced.

      Applicability: tlp-red, tlp-amber, tlp-green, tlp-clear

    Guidelines
    • NIST-CSF
      • PR.AC-3
    • ISO_27001
      • 2013 A.9.1.1
      • 2013 A.9.2.1
    • NIST_800_53
      • AC-2
      • AC-3
    • CCM
      • IAM-01
      • IAM-02
    Threats
    • CCC.MLDE.Threats
      • CCC.MLDE.TH01
    • CCC.Core.Threats
      • CCC.Core.TH01

  2. CCC.MLDE.CN03 Disable Root Access on MLDE Instances

    Objective

    Prevent users from obtaining root access on MLDE instances to reduce the risk of unauthorized system modifications and potential security breaches.

    Assessment requirements

    1. Verify that root access is disabled on MLDE instances containing sensitive data.

      Applicability: tlp-red

    2. For MLDE instances without sensitive data, ensure that root access is only enabled when necessary and properly authorized.

      Applicability: tlp-red, tlp-amber, tlp-green, tlp-clear

    Guidelines
    • NIST-CSF
      • PR.AC-4
    • NIST_800_53
      • AC-6
    • CCM
      • IAM-08
      • IAM-12
    • ISO_27001
      • 2013 A.9.2.3
    Threats
    • CCC.MLDE.Threats
      • CCC.MLDE.TH01

  3. CCC.MLDE.CN04 Disable Terminal Access on MLDE Instances

    Objective

    Prevent users from accessing the terminal on MLDE instances to limit the risk of unauthorized commands and potential system compromise.

    Assessment requirements

    1. Verify that terminal access is disabled on MLDE instances containing sensitive data.

      Applicability: tlp-red

    2. For MLDE instances without sensitive data, ensure that terminal access is only enabled when necessary and properly authorized.

      Applicability: tlp-red, tlp-amber, tlp-green, tlp-clear

    Guidelines
    • NIST-CSF
      • PR.AC-4
    • NIST_800_53
      • AC-6
    • CCM
      • IAM-08
    • ISO_27001
      • 2013 A.9.2.3
    Threats
    • CCC.MLDE.Threats
      • CCC.MLDE.TH01

  4. CCC.MLDE.CN02 Disable File Downloads on MLDE Instances

    Objective

    Prevent unauthorized file downloads from MLDE instances to protect sensitive data from being exfiltrated.

    Assessment requirements

    1. Confirm that file download functionality is disabled on MLDE instances containing sensitive data.

      Applicability: tlp-red

    2. For MLDE instances without sensitive data, ensure that file downloads are monitored and logged.

      Applicability: tlp-red, tlp-amber, tlp-green, tlp-clear

    Guidelines
    • NIST-CSF
      • PR.DS-5
    • CCM
      • DSI-05
      • DSI-07
    • ISO_27001
      • 2013 A.13.2.1
    • NIST_800_53
      • SC-7
      • SC-8
    Threats
    • CCC.MLDE.Threats
      • CCC.MLDE.TH02
    • CCC.Core.Threats
      • CCC.Core.TH02

Resource Management

The Resource Management group covers entries related to the lifecycle, configuration, and operational integrity of cloud resources. This includes resource exhaustion, tag manipulation, version rollback, scaling, and cost management.

  1. CCC.MLDE.CN05 Restrict Environment Options on MLDE Instances

    Objective

    Limit the virtual machine and container image options available when creating new MLDE instances to approved and secure configurations.

    Assessment requirements

    1. Verify that only approved VM and container images can be selected when creating MLDE instances.

      Applicability: tlp-red, tlp-amber

    2. Attempt to create an MLDE instance with an unapproved image and confirm that it is denied.

      Applicability: tlp-red

    Guidelines
    • NIST-CSF
      • PR.IP-1
    • CCM
      • TVM-02
    • ISO_27001
      • 2013 A.12.5.1
    • NIST_800_53
      • CM-2
    Threats
    • CCC.MLDE.Threats
      • CCC.MLDE.TH04

  2. CCC.MLDE.CN06 Require Automatic Scheduled Upgrades on User-Managed MLDE Instances

    Objective

    Ensure that MLDE instances are kept up-to-date with the latest security patches by enforcing automatic scheduled upgrades.

    Assessment requirements

    1. Verify that automatic scheduled upgrades are enabled on user-managed MLDE instances containing sensitive data.

      Applicability: tlp-red

    2. Ensure that the upgrade schedule is appropriately configured and does not interfere with critical operations.

      Applicability: tlp-red, tlp-amber, tlp-green, tlp-clear

    Guidelines
    • NIST-CSF
      • PR.IP-12
    • CCM
      • TVM-01
      • TVM-02
    • ISO_27001
      • 2013 A.12.6.1
    • NIST_800_53
      • SI-2
    Threats
    • CCC.MLDE.Threats
      • CCC.MLDE.TH04
    • CCC.Core.Threats
      • CCC.Core.TH06

Networking

The Networking group covers entries related to network infrastructure, connectivity, and traffic management. This includes virtual networks, subnets, load balancing, DNS, routing, peering, and network-level access controls.

  1. CCC.MLDE.CN07 Restrict Public IP Access on MLDE Instances

    Objective

    Prevent public IP access to MLDE instances to reduce exposure to the internet and enhance security.

    Assessment requirements

    1. Verify that MLDE instances containing sensitive data cannot be accessed via public IP addresses.

      Applicability: tlp-red

    2. For MLDE instances without sensitive data requiring public access, ensure that appropriate security controls are in place and access is approved.

      Applicability: tlp-red, tlp-amber, tlp-green, tlp-clear

    Guidelines
    • NIST-CSF
      • PR.AC-3
    • CCM
      • SEF-05
    • ISO_27001
      • 2013 A.13.1.1
    • NIST_800_53
      • SC-7
    Threats
    • CCC.MLDE.Threats
      • CCC.MLDE.TH02
    • CCC.VPC.Threats
      • CCC.VPC.TH02

  2. CCC.MLDE.CN08 Restrict Virtual Networks for MLDE Instances

    Objective

    Limit the virtual networks that can be used when creating new MLDE instances to ensure they are deployed within approved and secure network environments.

    Assessment requirements

    1. Verify that MLDE instances containing sensitive data can only be deployed in approved virtual networks with appropriate security controls.

      Applicability: tlp-red

    2. Ensure that MLDE instances without sensitive data are deployed in networks that meet organizational security standards.

      Applicability: tlp-red, tlp-amber, tlp-green, tlp-clear

    Guidelines
    • NIST-CSF
      • PR.AC-4
    • CCM
      • IAM-12
    • ISO_27001
      • 2013 A.9.1.2
    • NIST_800_53
      • AC-6
    Threats
    • CCC.MLDE.Threats
      • CCC.MLDE.TH01
    • CCC.Core.Threats
      • CCC.Core.TH01