GRC Store

Search / finos-ccc/ccc.secmgmt.cn / v2026.06-rc4

Release · v2026.06-rc4

FINOS-CCC/CCC.SecMgmt.CN Control Catalog

FINOS-CCC/CCC.SecMgmt.CN

Controls for Secret Management technologies, as defined by the FINOS Common Cloud Controls project.

Published by FINOS Common Cloud Controls

Install

OCI v1.1
$grcli unpack --repository finos-ccc/ccc.secmgmt.cn --tag v2026.06-rc4
Coordinate
oci.grc.store/finos-ccc/ccc.secmgmt.cn:v2026.06-rc4
Manifest digest
sha256:65c0f145d511eb226aa8394571cf76ee368d6c5deb59ea3c5b6acc5612088231

Provenance

1 layer
Digest Media type Size
b23bcf09e217… application/vnd.gemara.artifact.v1+yaml 3.2 KiB
Bundle config blob 
{
  "bundle-version": "1.0",
  "gemara-version": "v1.2.0",
  "metadata": {
    "provenance": {
      "buildDefinition": {
        "buildType": "https://grc.store/grcli/buildtype/v0",
        "externalParameters": {
          "artifact": {
            "id": "CCC.SecMgmt.CN",
            "type": "ControlCatalog"
          },
          "target": {
            "registry": "oci.grc.store",
            "repository": "finos-ccc/ccc.secmgmt.cn",
            "tag": "v2026.06-rc4"
          }
        },
        "internalParameters": {
          "CI": "true",
          "GITHUB_ACTIONS": "true",
          "GITHUB_ACTOR": "eddie-knight",
          "GITHUB_REF": "refs/heads/main",
          "GITHUB_REPOSITORY": "eddie-knight/common-cloud-controls",
          "GITHUB_RUN_ATTEMPT": "1",
          "GITHUB_RUN_ID": "26770748733",
          "GITHUB_SHA": "2b6dab4c1307a0ac67d90c99829f6c1825154c84",
          "GITHUB_WORKFLOW": "Batch Release All Catalogs",
          "RUNNER_OS": "Linux"
        },
        "resolvedDependencies": [
          {
            "name": "artifacts/crypto/secrets/controls.yaml",
            "uri": "file://artifacts/crypto/secrets/controls.yaml",
            "digest": {
              "sha256": "b23bcf09e217774bbdd557dcde3571e66415e8fdbc46c8ea5f25e6beaad7197d"
            }
          },
          {
            "name": "source",
            "uri": "git+https://github.com/eddie-knight/common-cloud-controls@2b6dab4c1307a0ac67d90c99829f6c1825154c84",
            "digest": {
              "gitCommit": "2b6dab4c1307a0ac67d90c99829f6c1825154c84"
            }
          }
        ]
      },
      "runDetails": {
        "builder": {
          "id": "https://github.com/eddie-knight/common-cloud-controls/actions/runs/26770748733",
          "version": {
            "go": "go1.25.0",
            "go-arch": "amd64",
            "go-os": "linux",
            "grcli": "v0.2.2"
          }
        },
        "metadata": {
          "invocationId": "26770748733-1",
          "startedOn": "2026-06-01T17:28:21.619575263Z",
          "finishedOn": "2026-06-01T17:28:21.839162772Z"
        },
        "byproducts": [
          {
            "name": "controls.yaml",
            "digest": {
              "sha256": "b23bcf09e217774bbdd557dcde3571e66415e8fdbc46c8ea5f25e6beaad7197d"
            }
          }
        ]
      }
    }
  },
  "artifacts": [
    {
      "name": "controls.yaml",
      "type": "ControlCatalog",
      "id": "CCC.SecMgmt.CN",
      "role": "artifact"
    }
  ]
}

CCC Secret Management Controls

Controls for Secret Management technologies, as defined by the FINOS Common Cloud Controls project.

ID
CCC.SecMgmt.CN
Version
v2026.06-rc4
Gemara version
v1.2.0
Author
FINOS Common Cloud Controls

Access Control

The Access Control group covers entries related to authentication, authorization, and trust perimeter enforcement. This includes multi-factor authentication, least privilege access, network access rules, and prevention of unauthorized access or reconnaissance.

  1. CCC.SecMgmt.CN01 Enforce Automatic Secret Rotation

    Objective

    Ensure that secrets are automatically rotated on a defined schedule to reduce the risk of secret compromise and unauthorized access.

    Assessment requirements

    1. Attempt to use an outdated version of a secret after its rotation period has passed and verify that access is denied.

      Applicability: tlp-red, tlp-amber

    Guidelines
    • NIST-CSF
      • PR.DS-6
    • NIST_800_53
      • SC-12
      • SC-28
    Threats
    • CCC.Core.Threats
      • CCC.Core.TH01
      • CCC.Core.TH14

Data Resilience

The Data Resilience group covers entries related to ensuring data availability, integrity, and sovereignty across its lifecycle. This includes replication, backup, recovery, region restrictions, and protection against data loss or corruption.

  1. CCC.SecMgmt.CN02 Enforce Secret Replication Policies

    Objective

    Ensure that secrets are replicated only to authorized locations as per organizational data residency and compliance requirements.

    Assessment requirements

    1. Attempt to retrieve a secret from an unauthorized region and verify that access is denied.

      Applicability: tlp-red, tlp-amber

    Guidelines
    • NIST-CSF
      • PR.DS-5
    • NIST_800_53
      • AC-3
      • SC-7
    Threats
    • CCC.Core.Threats
      • CCC.Core.TH03
      • CCC.Core.TH04