New CSA Framework Aims to Close Gaps in SaaS Security

September 25, 2025 – Published on MSSP Alert

JPMorganChase Global CISO Patrick Opet penned an open letter to third-party software providers in April this year, warning that the rising cyberthreats stemming from the software-as-a-service (SaaS) delivery model were threatening the global economic system, and urging them to prioritize security over new features.

Security incidents involving software providers can easily reverberate through the supply chain, causing significant problems for downstream customers.

A working group of the Cloud Security Alliance (CSA), GuidePoint Security and other experts are looking to address the issues raised by Opet with the SaaS Security Capability Framework (SSCF), a standardized set of SaaS security controls released this week that the organizations said will close a crucial gap in third-party risk management (TPRM).

“The primary issue is that current third-party risk management practices are operating at the wrong level of granularity,” Jonathan Villa, GuidePoint’s senior cloud practice director, told MSSP Alert. “Traditional approaches focus heavily on vendor organizational security, examining policies, procedures, and high-level controls through frameworks like SOC 2 and ISO standards.”

The SSCF shifts the focus from “high-level organizational assessments to standardized, product-level security capabilities,” Villa said. “Instead of just asking, ‘Is this vendor secure?’, organizations can now ask, ‘Does this specific SaaS application provide the standardized security features we need, and can our business users configure them properly?’”

According to the CSA, the SSCF defines 41 key customer-facing security controls that span six primary domains, such as change control and configuration management, data security and privacy lifecycle management, identity and access management (IAM), interoperability and portability, logging and monitoring, and security incident management.

Read More HERE.