The Cloud Controls Matrix (CCM) is a cybersecurity control framework for cloud computing that can be used by cloud customers to build an operational cloud risk management program. The CCM provides guidance on which security controls should be implemented by which actor within the cloud supply chain, and maps the controls to industry-accepted security standards, regulations, and frameworks. The CCM can help cloud customers to assess the security posture of their cloud service providers, document their own responsibilities and requirements, and establish a baseline for cloud security assurance and compliance. References :=
* Cloud Controls Matrix (CCM) - CSA1
* What is the Cloud Controls Matrix (CCM)? - Cloud Security Alliance2
* Certificate of Cloud Auditing Knowledge (CCAK) Study Guide, Chapter 5: Cloud Assurance Frameworks

Explanation
When developing a cloud compliance program, the primary reason for a cloud customer to determine how those services will fit within its policies and procedures is to ensure that the cloud services are aligned with the customer's business objectives, risk appetite, and compliance obligations. Cloud services may have different characteristics, features, and capabilities than traditional on-premises services, and may require different or additional controls to meet the customer's security and compliance requirements. Therefore, the customer needs to assess how the cloud services will fit within its existing policies and procedures, such as data classification, data protection, access management, incident response, audit, and reporting. The customer also needs to identify any gaps or conflicts between the cloud services and its policies and procedures, and implement appropriate measures to address them. By doing so, the customer can ensure that the cloud services are used in a secure, compliant, and effective manner12.
References:
ISACA, Certificate of Cloud Auditing Knowledge (CCAK) Study Guide, 2021, p. 19-20.
Cloud Compliance Frameworks: What You Need to Know

The best method to report continuous assessment of a cloud provider's services to the Cloud Security Alliance (CSA) is through a set of dedicated application programming interfaces (APIs). According to the CSA website1, the STAR Continuous program is a component of the STAR certification that allows cloud service providers to validate their security posture on an ongoing basis. The STAR Continuous program leverages a set of APIs that can integrate with the cloud provider's existing tools and processes, such as security information and event management (SIEM), governance, risk management, and compliance (GRC), or continuous monitoring systems. The APIs enable the cloud provider to collect, analyze, and report security-related data to the CSA STAR registry in near real-time. The APIs also allow the CSA to verify the data and provide feedback to the cloud provider and the customers. The STAR Continuous program aims to provide more transparency, assurance, and trust in the cloud ecosystem by enabling continuous visibility into the security performance of cloud services.
The other methods listed are not suitable for reporting continuous assessment of a cloud provider's services to the CSA. The Cloud Controls Matrix (CCM) assessment by a third-party auditor on a periodic basis is part of the STAR Certification Level 2 program, which provides a point-in-time validation of the cloud provider's security controls. However, this method does not provide continuous assessment or reporting, as it only occurs once every 12 or 24 months2. The tools selected by the third-party auditor may vary depending on the scope, criteria, and methodology of the audit, and they may not be compatible or consistent with the CSA's standards and frameworks. Moreover, the tools may not be able to report the audit results to the CSA STAR registry automatically or frequently. The SOC 2 Type 2 attestation is an independent audit report that evaluates the cloud provider's security controls based on the American Institute of Certified Public Accountants (AICPA) Trust Services Criteria. However, this report is not specific to cloud computing and does not cover all aspects of the CCM. Furthermore, this report is not intended to be shared publicly or reported to the CSA STAR registry3.
Reference:
STAR Continuous | CSA
STAR Certification | CSA
SOC 2 vs CSA STAR: Which One Should You Choose?

Attribute-based access control (ABAC) is a cloud-native solution that uses attributes (such as user role, location, or device) to dynamically control access. This method is highly flexible for the cloud, where user attributes and environmental factors vary, unlike traditional enterprise security models. ISACA's CCAK emphasizes ABAC in cloud environments for its adaptability to multi-tenant architectures and complex access control requirements, aligning with CCM controls in Domain IAM-12 (Identity and Access Management) for flexible, secure access mechanisms.