CSA STAR Certification: Cloud Security Alliance Standards for Cloud Vendors

CSA STAR (Security, Trust, Assurance, and Risk) is the Cloud Security Alliance's assurance program designed specifically to address the unique security challenges facing cloud service providers and their enterprise customers. The program combines the CSA Cloud Controls Matrix with independent third-party assessments to produce verifiable, publicly registered proof of a cloud vendor's security posture. Understanding STAR certification is essential for procurement decisions, regulatory due diligence, and cloud vendor compliance assessment processes across regulated industries.

Definition and scope

The Cloud Security Alliance (CSA) developed the STAR program as a purpose-built registry for cloud security assurance. The program operates in conjunction with the CSA Cloud Controls Matrix (CCM), a control framework organized into 17 domains and 197 control objectives specifically mapped to cloud service delivery models — Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS). The CCM also maps to established standards including ISO/IEC 27001, SOC 2, NIST SP 800-53, and the GDPR, enabling organizations to rationalize multiple compliance obligations against a single control taxonomy.

The STAR program applies to cloud service providers globally, though its registry is particularly visible in US federal, financial services, and healthcare vendor selection contexts. Providers listed in the public CSA STAR Registry signal baseline accountability to enterprise buyers. For organizations navigating the broader landscape of cloud-related regulation, the regulatory context for cloud compliance page provides the statutory and agency-level framing that connects STAR to legal obligations.

How it works

The CSA STAR program is structured into three progressive levels, each representing a different depth of assurance and verification methodology.

1. Level 1 — Self-Assessment (STAR Self-Assessment): The cloud provider completes either the Consensus Assessments Initiative Questionnaire (CAIQ) or a CCM-based self-assessment and submits it for publication in the public registry. No third-party verification is required. This level establishes baseline transparency but carries inherent limitations because the evidence is unaudited.

2. Level 2 — Third-Party Certification or Attestation: This level offers two parallel pathways depending on the compliance framework the provider is already pursuing:

3. STAR Certification: Combines an ISO/IEC 27001 audit with a CCM-based assessment performed by an accredited certification body. The result is an ISO 27001 certificate augmented with a STAR certificate that reflects cloud-specific control maturity.

4. STAR Attestation: Combines a SOC 2 Type II engagement with CCM criteria, performed by a licensed CPA firm. This pathway is particularly common for providers serving US financial services and healthcare clients who already require SOC 2 compliance.

5. Level 3 — Continuous Monitoring (STAR Continuous): This emerging pathway integrates automated, near-real-time evidence collection with the CCM framework. It connects to the discipline of continuous compliance monitoring and is intended to reduce the lag inherent in point-in-time assessments.

Assessment bodies conducting Level 2 STAR Certification must be accredited under the ISO/IEC 17021 standard for management system certification bodies. The CSA does not itself issue the certificates; accredited national certification bodies hold that authority.

Common scenarios

Enterprise SaaS procurement: A financial institution evaluating a SaaS vendor requires evidence of controls addressing data encryption, access management, and incident response. A Level 2 STAR Attestation (SOC 2 + CCM) provides structured, third-party-verified evidence across all 17 CCM domains, supplementing the identity and access management controls review.

Federal supply chain vetting: While FedRAMP remains the primary authorization mechanism for US federal cloud procurement, STAR certification is used by contractors in supply chain due diligence where FedRAMP authorization does not apply to a specific service. The CCM's mappings to NIST SP 800-53 controls (NIST SP 800-53, Rev 5) facilitate cross-walking STAR evidence to federal control families.

Healthcare cloud vendor selection: A covered entity evaluating a cloud hosting provider under HIPAA may use STAR Certification as supplemental evidence alongside a Business Associate Agreement. The CCM's Domain 05 (Data Security and Privacy Lifecycle Management) maps directly to HIPAA Security Rule safeguard categories (45 CFR Part 164), supporting HIPAA cloud compliance documentation requirements.

Multi-cloud rationalization: An organization operating across 3 or more cloud providers uses STAR registry entries to normalize vendor assurance data during a multi-cloud compliance strategy review, reducing the overhead of independent assessments per vendor.

Decision boundaries

STAR certification is not a regulatory authorization and does not substitute for FedRAMP, HITRUST CSF certification, or SOC 2 as required by specific legal or contractual mandates. The following boundaries apply:

• STAR vs. FedRAMP: FedRAMP authorization is legally required for cloud services used by US federal agencies under OMB Memorandum M-11-11. STAR certification carries no equivalent statutory mandate. A provider holding STAR Certification is not thereby authorized for federal use.
• STAR vs. SOC 2: SOC 2 Type II reports are frequently required by contract in financial services and healthcare vendor agreements. STAR Attestation incorporates SOC 2 Type II but produces an additional CCM-specific output. Procuring organizations should confirm whether their contracts specify SOC 2 independently.
• Level 1 limitations: Self-assessment entries in the STAR Registry represent unverified declarations. Regulated-industry procurement teams treating Level 1 submissions as equivalent to audited certifications introduce material risk into their third-party risk management processes.
• Scope specificity: STAR Certification covers the scope defined in the ISO 27001 Statement of Applicability. A certificate covering only a subset of a provider's services does not extend assurance to uncertified services or data center regions.

The cloud compliance resource index provides orientation across the full range of frameworks, certifications, and regulatory obligations relevant to cloud service environments.

References

• Cloud Security Alliance — STAR Program Overview
• CSA Cloud Controls Matrix v4
• CSA STAR Registry (Public)
• NIST SP 800-53, Revision 5 — Security and Privacy Controls
• ISO/IEC 27001 — Information Security Management
• 45 CFR Part 164 — HIPAA Security and Privacy Rules (eCFR)
• OMB Memorandum M-11-11 — FedRAMP Mandate