GRC Store

Search / finos-ccc/ccc.secmgmt.cn / v2026.06-rc3

Release · v2026.06-rc3

FINOS-CCC/CCC.SecMgmt.CN Control Catalog

FINOS-CCC/CCC.SecMgmt.CN

Controls for Secret Management technologies, as defined by the FINOS Common Cloud Controls project.

Published by FINOS Common Cloud Controls

Install

OCI v1.1
$grcli unpack --repository finos-ccc/ccc.secmgmt.cn --tag v2026.06-rc3
Coordinate
oci.grc.store/finos-ccc/ccc.secmgmt.cn:v2026.06-rc3
Manifest digest
sha256:200edbddf0c18a09bd29535ef631dceb3919719770e01b62467833233ae1ee31

Provenance

1 layer
Digest Media type Size
2fc22d4cfe37… application/vnd.gemara.artifact.v1+yaml 3.2 KiB
Bundle config blob 
{
  "bundle-version": "1.0",
  "gemara-version": "v1.2.0",
  "metadata": {
    "provenance": {
      "buildDefinition": {
        "buildType": "https://grc.store/grcli/buildtype/v0",
        "externalParameters": {
          "artifact": {
            "id": "CCC.SecMgmt.CN",
            "type": "ControlCatalog"
          },
          "target": {
            "registry": "oci.grc.store",
            "repository": "finos-ccc/ccc.secmgmt.cn",
            "tag": "v2026.06-rc3"
          }
        },
        "internalParameters": {
          "CI": "true",
          "GITHUB_ACTIONS": "true",
          "GITHUB_ACTOR": "eddie-knight",
          "GITHUB_REF": "refs/heads/main",
          "GITHUB_REPOSITORY": "eddie-knight/common-cloud-controls",
          "GITHUB_RUN_ATTEMPT": "2",
          "GITHUB_RUN_ID": "26768391088",
          "GITHUB_SHA": "24594e28430c12318cacffe7fdda6a3ea272d975",
          "GITHUB_WORKFLOW": "Batch Release All Catalogs",
          "RUNNER_OS": "Linux"
        },
        "resolvedDependencies": [
          {
            "name": "artifacts/crypto/secrets/controls.yaml",
            "uri": "file://artifacts/crypto/secrets/controls.yaml",
            "digest": {
              "sha256": "2fc22d4cfe371d1d4159d5353928f89f6f6da535b9a26d87b2f536e859e1f58b"
            }
          },
          {
            "name": "source",
            "uri": "git+https://github.com/eddie-knight/common-cloud-controls@24594e28430c12318cacffe7fdda6a3ea272d975",
            "digest": {
              "gitCommit": "24594e28430c12318cacffe7fdda6a3ea272d975"
            }
          }
        ]
      },
      "runDetails": {
        "builder": {
          "id": "https://github.com/eddie-knight/common-cloud-controls/actions/runs/26768391088",
          "version": {
            "go": "go1.25.0",
            "go-arch": "amd64",
            "go-os": "linux",
            "grcli": "v0.2.2"
          }
        },
        "metadata": {
          "invocationId": "26768391088-2",
          "startedOn": "2026-06-01T16:44:02.304778213Z",
          "finishedOn": "2026-06-01T16:44:02.402563018Z"
        },
        "byproducts": [
          {
            "name": "controls.yaml",
            "digest": {
              "sha256": "2fc22d4cfe371d1d4159d5353928f89f6f6da535b9a26d87b2f536e859e1f58b"
            }
          }
        ]
      }
    }
  },
  "artifacts": [
    {
      "name": "controls.yaml",
      "type": "ControlCatalog",
      "id": "CCC.SecMgmt.CN",
      "role": "artifact"
    }
  ]
}

CCC Secret Management Controls

Controls for Secret Management technologies, as defined by the FINOS Common Cloud Controls project.

ID
CCC.SecMgmt.CN
Version
v2026.06-rc3
Gemara version
v1.2.0
Author
FINOS Common Cloud Controls

Access Control

The Access Control group covers entries related to authentication, authorization, and trust perimeter enforcement. This includes multi-factor authentication, least privilege access, network access rules, and prevention of unauthorized access or reconnaissance.

  1. CCC.SecMgmt.CN01 Enforce Automatic Secret Rotation

    Objective

    Ensure that secrets are automatically rotated on a defined schedule to reduce the risk of secret compromise and unauthorized access.

    Assessment requirements

    1. Attempt to use an outdated version of a secret after its rotation period has passed and verify that access is denied.

      Applicability: tlp-red, tlp-amber

    Guidelines
    • NIST-CSF
      • PR.DS-6
    • NIST_800_53
      • SC-12
      • SC-28
    Threats
    • CCC.Core.Threats
      • CCC.Core.TH01
      • CCC.Core.TH14

Data Resilience

The Data Resilience group covers entries related to ensuring data availability, integrity, and sovereignty across its lifecycle. This includes replication, backup, recovery, region restrictions, and protection against data loss or corruption.

  1. CCC.SecMgmt.CN02 Enforce Secret Replication Policies

    Objective

    Ensure that secrets are replicated only to authorized locations as per organizational data residency and compliance requirements.

    Assessment requirements

    1. Attempt to retrieve a secret from an unauthorized region and verify that access is denied.

      Applicability: tlp-red, tlp-amber

    Guidelines
    • NIST-CSF
      • PR.DS-5
    • NIST_800_53
      • AC-3
      • SC-7
    Threats
    • CCC.Core.Threats
      • CCC.Core.TH03
      • CCC.Core.TH04