Open Source Common Controls Framework (CCF) v3.0 Now Available

ComplianceOpen Source

The Technology Governance, Risk and Compliance (Tech GRC) group at Adobe is excited to release the open source Common Controls Framework (CCF) v3.0. CCF v3.0 includes additional mapping of the control activities to BSI Cloud Computing Compliance Controls Catalogue (C5), HIPAA Security Rule requirements, as well as updated mapping of the 2017 Trust Service Criteria for Security and Availability (a.k.a. SOC  2), and ISO 27001. It builds upon CCF v2.0 released in 2018. These activities were determined by common industry requirements. They have been adopted by Adobe product operations and engineering teams to help achieve compliance with the standards set forth by these regulatory bodies. The CCF is an illustrative example of common security controls that can be tailored to anorganization’s specific security objectives.

The Common Control Framework (CCF) by Adobe is the foundational framework and backbone to our company-wide security compliance strategy. The CCF is a comprehensive set of simple control requirements, aggregated, correlated and rationalized from the vast array of industry information security and privacy standards.  Adoption of the CCF has enabled Adobe’s cloud products, services, platforms and operations to achieve compliance with a host of security certifications, standards and regulations for example; SOC 2, ISO 27001, PCI, FedRAMP, HIPAA security rule and others.

As part of our knowledge sharing programs with the broader security community, a generic version of CCF (CCF v1.0) was open sourced in 2017. CCF v1.0 contained a baseline set of control activities meant to assist organizations in meeting various security frameworks and requirements that include ISO/IEC 27001, AICPA SOC 2 Common Criteria, AICPA SOC 2 Availability Criteria, and the security requirements of GLBA and FERPA. Additional mapping of control activities to FedRAMP Tailored and PCI DSS V3.2.1 were added to CCF v2.0 in 2018.

By integrating CCF into a compliance workflow, users can benefit from a more scalable security strategy that can result in higher levels of compliance across engineering and operations processes. As the next level of organic growth for CCF, the Technology Governance, Risk and Compliance (Tech GRC) group at Adobe are also developing a CCF controls automation platform. You can learn more about our CCF automation efforts on the Security@Adobe blog.

We invite you to take the opportunity to download CCF today and adapt it for use in your organization. We welcome feedback and questions about the framework. You can contact us directly at

Prasant Vadlamudi
Director, Technology Governance, Risk and Compliance (Tech GRC)

Compliance, Open Source

Posted on 12-10-2019