NCA Cloud Computing Cybersecurity Controls (CCC-1:2020)

Saudi Arabia's National Cybersecurity Authority (NCA) Cloud Computing Cybersecurity Controls (CCC-1:2020) establish mandatory cybersecurity requirements for cloud service providers (CSPs) and cloud service consumers (CSCs) in Saudi Arabia. The Controls apply to all government entities and critical national infrastructure operators using cloud services, and to cloud service providers offering services in Saudi Arabia. CCC-1:2020 covers 10 domains: governance; compliance; asset management; identity and access management; physical security; operations security; communications security; incident management; business continuity; and supply chain. Cloud service providers must achieve NCA certification before providing services to government entities. The Controls require CSPs to store government data within Saudi Arabia unless explicitly approved for cross-border transfer. CSCs must conduct due diligence on CSPs, include security requirements in contracts, and maintain oversight of cloud security. The NCA also issues the Essential Cybersecurity Controls (ECC-1:2018) as the baseline cybersecurity framework for all government entities.