GRC Store

Search / finos-ccc/ccc.secmgmt.cn / v2026.06-rc5

Release · v2026.06-rc5

FINOS-CCC/CCC.SecMgmt.CN Control Catalog

FINOS-CCC/CCC.SecMgmt.CN

Controls for Secret Management technologies, as defined by the FINOS Common Cloud Controls project.

Published by FINOS Common Cloud Controls

Install

OCI v1.1
$grcli unpack --repository finos-ccc/ccc.secmgmt.cn --tag v2026.06-rc5
Coordinate
oci.grc.store/finos-ccc/ccc.secmgmt.cn:v2026.06-rc5
Manifest digest
sha256:00484ac21afc48380760af2b9a071c99224086a8d7af2a4c694d8d91afd3ec2d

Provenance

1 layer
Digest Media type Size
ccf3b83848a2… application/vnd.gemara.artifact.v1+yaml 3.2 KiB
Bundle config blob 
{
  "bundle-version": "1.0",
  "gemara-version": "v1.2.0",
  "metadata": {
    "provenance": {
      "buildDefinition": {
        "buildType": "https://grc.store/grcli/buildtype/v0",
        "externalParameters": {
          "artifact": {
            "id": "CCC.SecMgmt.CN",
            "type": "ControlCatalog"
          },
          "target": {
            "registry": "oci.grc.store",
            "repository": "finos-ccc/ccc.secmgmt.cn",
            "tag": "v2026.06-rc5"
          }
        },
        "internalParameters": {
          "CI": "true",
          "GITHUB_ACTIONS": "true",
          "GITHUB_ACTOR": "eddie-knight",
          "GITHUB_REF": "refs/heads/main",
          "GITHUB_REPOSITORY": "eddie-knight/common-cloud-controls",
          "GITHUB_RUN_ATTEMPT": "1",
          "GITHUB_RUN_ID": "26771723499",
          "GITHUB_SHA": "a9503345caf59a144d8ab9b4bede212b393ca56a",
          "GITHUB_WORKFLOW": "Batch Release All Catalogs",
          "RUNNER_OS": "Linux"
        },
        "resolvedDependencies": [
          {
            "name": "artifacts/crypto/secrets/controls.yaml",
            "uri": "file://artifacts/crypto/secrets/controls.yaml",
            "digest": {
              "sha256": "ccf3b83848a22989fbb26049045e0b49eef0607140d43dd1dde2e7ab11b97a75"
            }
          },
          {
            "name": "source",
            "uri": "git+https://github.com/eddie-knight/common-cloud-controls@a9503345caf59a144d8ab9b4bede212b393ca56a",
            "digest": {
              "gitCommit": "a9503345caf59a144d8ab9b4bede212b393ca56a"
            }
          }
        ]
      },
      "runDetails": {
        "builder": {
          "id": "https://github.com/eddie-knight/common-cloud-controls/actions/runs/26771723499",
          "version": {
            "go": "go1.25.0",
            "go-arch": "amd64",
            "go-os": "linux",
            "grcli": "v0.2.2"
          }
        },
        "metadata": {
          "invocationId": "26771723499-1",
          "startedOn": "2026-06-01T17:47:15.557494887Z",
          "finishedOn": "2026-06-01T17:47:15.655636528Z"
        },
        "byproducts": [
          {
            "name": "controls.yaml",
            "digest": {
              "sha256": "ccf3b83848a22989fbb26049045e0b49eef0607140d43dd1dde2e7ab11b97a75"
            }
          }
        ]
      }
    }
  },
  "artifacts": [
    {
      "name": "controls.yaml",
      "type": "ControlCatalog",
      "id": "CCC.SecMgmt.CN",
      "role": "artifact"
    }
  ]
}

CCC Secret Management Controls

Controls for Secret Management technologies, as defined by the FINOS Common Cloud Controls project.

ID
CCC.SecMgmt.CN
Version
v2026.06-rc5
Gemara version
v1.2.0
Author
FINOS Common Cloud Controls

Access Control

The Access Control group covers entries related to authentication, authorization, and trust perimeter enforcement. This includes multi-factor authentication, least privilege access, network access rules, and prevention of unauthorized access or reconnaissance.

  1. CCC.SecMgmt.CN01 Enforce Automatic Secret Rotation

    Objective

    Ensure that secrets are automatically rotated on a defined schedule to reduce the risk of secret compromise and unauthorized access.

    Assessment requirements

    1. Attempt to use an outdated version of a secret after its rotation period has passed and verify that access is denied.

      Applicability: tlp-red, tlp-amber

    Guidelines
    • NIST-CSF
      • PR.DS-6
    • NIST_800_53
      • SC-12
      • SC-28
    Threats
    • CCC.Core.Threats
      • CCC.Core.TH01
      • CCC.Core.TH14

Data Resilience

The Data Resilience group covers entries related to ensuring data availability, integrity, and sovereignty across its lifecycle. This includes replication, backup, recovery, region restrictions, and protection against data loss or corruption.

  1. CCC.SecMgmt.CN02 Enforce Secret Replication Policies

    Objective

    Ensure that secrets are replicated only to authorized locations as per organizational data residency and compliance requirements.

    Assessment requirements

    1. Attempt to retrieve a secret from an unauthorized region and verify that access is denied.

      Applicability: tlp-red, tlp-amber

    Guidelines
    • NIST-CSF
      • PR.DS-5
    • NIST_800_53
      • AC-3
      • SC-7
    Threats
    • CCC.Core.Threats
      • CCC.Core.TH03
      • CCC.Core.TH04