GuidePoint Security and the Cloud Security Alliance (CSA) have partnered to launch the SaaS Security Capability Framework (SSCF), a new industry standard designed to address a critical gap in third-party risk management. While existing security frameworks often focus on a vendor's overall security posture, they frequently overlook the configurable, customer-facing security features of the SaaS application itself. The SSCF provides a standardized set of 41 security controls for these features, offering clear guidance for both SaaS providers and customers to improve application security and foster a safer cloud ecosystem.
GuidePoint Security and the Cloud Security Alliance (CSA) have launched the SaaS Security Capability Framework (SSCF).
The SSCF is the first standardized framework to address configurable, customer-facing security controls in SaaS applications.
The framework defines 41 essential security controls across six key domains, including Identity & Access Management and Logging & Monitoring.
It was developed by a global consortium of experts, including leaders from GuidePoint Security and MongoDB.
The SSCF aims to help organizations reduce risk, streamline procurement, and build trust in SaaS solutions.
It empowers organizations to move from ad hoc risk assessments to a more proactive, strategic approach to SaaS security.
The rapid adoption of SaaS has created new security challenges, as the configurable features that customers can manage are often not covered by traditional certifications like SOC 2 or ISO. This gap in the Shared Responsibility Model can leave organizations vulnerable. The SSCF directly addresses this by providing a common baseline of security capabilities that both providers and customers can use. By outlining precise, standardized controls, the framework helps organizations move beyond broad, high-level assessments and focus on the product-level security features that matter most for their security posture.
The SSCF is the result of a collaborative effort by industry experts and is designed to balance rigorous requirements with practical guidance. For customers, it offers a way to simplify vendor selection, accelerate deployment, and reduce risk. For SaaS vendors, it provides a clear set of security expectations, reducing the burden of creating countless custom questionnaires. The framework aims to raise the bar for SaaS security across the industry, enabling faster and more confident cloud adoption by providing a clear, consistent standard for what constitutes "good SaaS security" inside the application.
GuidePoint Security provides trusted cybersecurity expertise, solutions, and services that help organizations make better decisions that minimize risk. Our experts act as your trusted advisor to understand your business and challenges, helping you through an evaluation of your cybersecurity posture and ecosystem to expose risks, optimize resources and implement best-fit solutions. GuidePoint’s unmatched expertise has enabled 40% of Fortune 500 companies and more than half of the U.S. government cabinet-level agencies to improve their security posture and reduce risk
TechIntelPro empowers B2B technology decision-makers with the latest industry trends, deep insights, leadership perspectives and actionable intelligence to drive both organizational and professional milestones—and thrive on the tech pulse.