New industry standard strengthens SaaS security and third-party risk management

GuidePoint Security, a cybersecurity solutions leader enabling organizations to make smarter decisions and minimize risk, in collaboration with the Cloud Security Alliance (CSA), today announced the launch of the SaaS Security Capability Framework (SSCF). This groundbreaking framework establishes the first comprehensive, standardized set of Software-as-a-Service (SaaS) security controls—addressing a long-standing gap in third-party risk management.

SaaS has revolutionized the way organizations operate, but this rapid adoption has also ushered in a new era of security challenges. While foundational frameworks such as CSA’s Cloud Controls Matrix (CCM), SOC 2, and ISO certifications assess an organization’s overall security posture, they often overlook the configurable, customer-facing features that directly impact SaaS security. This gap in the Shared Responsibility Model has left many organizations without clear guidance on how to evaluate or enforce critical protections, leaving them vulnerable to overlooked risk.

The SSCF addresses these challenges by defining 41 essential, customer-facing security controls across six key domains, including:

• Change Control & Configuration Management
• Data Security & Privacy Lifecycle Management
• Identity & Access Management
• Interoperability & Portability
• Logging & Monitoring
• Security Incident Management

Meticulously crafted by a global consortium of experts—including leaders from GuidePoint Security, MongoDB, the CSA SaaS Working Group and other domain specialists—the SSCF sets a new common baseline of security capabilities for both SaaS providers and their customers.

“In working with customers, we continually see the need for clearer SaaS security guidance. The SSCF is a pivotal step toward SaaS security standardization,” said Jonathan Villa, Senior Cloud Practice Director at GuidePoint Security and one of the lead authors of the framework. “It bridges the disconnect between high-level organizational assessments and the product-level security features that matter most to customers. With this framework, organizations can easily reduce risk, streamline procurement and strengthen trust in SaaS solutions.”

By providing precise, standardized security capabilities, the SSCF empowers organizations to move beyond ad hoc risk assessments and toward proactive, strategic security management—strengthening overall security posture and fostering a safer cloud ecosystem.

“This framework is the product of true collaboration,” added Lefteris Skoutaris, Associate Vice President of GRC Solutions at CSA. “With input from GuidePoint Security, MongoDB, and experts across the SaaS ecosystem, the SSCF balances rigorous requirements with practical guidance. It will help raise the bar for SaaS security while enabling faster, more confident cloud adoption.”

For more information or to download the full framework, visit cloudsecurityalliance.org/artifacts/saas-security-capability-framework-sscf.

About GuidePoint Security

GuidePoint Security provides trusted cybersecurity expertise, solutions, and services that help organizations make better decisions that minimize risk. Our experts act as your trusted advisor to understand your business and challenges, helping you through an evaluation of your cybersecurity posture and ecosystem to expose risks, optimize resources and implement best-fit solutions. GuidePoint’s unmatched expertise has enabled 40% of Fortune 500 companies and more than half of the U.S. government cabinet-level agencies to improve their security posture and reduce risk. Learn more at www.guidepointsecurity.com.

View source version on businesswire.com: https://www.businesswire.com/news/home/20250924063296/en/

This groundbreaking framework establishes the first comprehensive, standardized set of Software-as-a-Service (SaaS) security controls—addressing a long-standing gap in third-party risk management.