How to Submit Level 1 Submissions, Self-Assessments to the STAR Registry
These are the detailed instructions on how to submit your Level 1 Self-Assessment to the STAR Registry. This guide is intended for STAR registry users who are submitting their CAIQ documents on behalf of their Organization.
In this document we will give you the following information:
- Preparation for submitting the Level 1 Self-Assessment
- Instructions for submitting the Level 1 Self-Assessment
- More information about the form field information
For simplified steps on how to submit a Level 1 Self-Assessment see this page.
For instructions on how to submit a STAR Level 2 Certification or Attestation please see this page.
For instructions on how to submit a COC for GDPR please see this page.
If you are an auditor submitting the CAIQ on behalf of a client, then you will use the client's information, and not your Auditing company's information.
Preparing to use the STAR Submission Form to submit your Level 1 Self-Assessment
All STAR submissions, including Self-Assessments, Certifications, Attestations, and others can be submitted through our STAR Submission form here. No sign-in is required to submit to the registry but you will be required to confirm your submission via a link that will be sent to the primary email address that you use before it can be processed and posted to the STAR Registry.
Pro Tip: The Intake form is the same for all documents submitted to STAR, but the process for using the form may differ depending on the type of submission being submitted. You can view our other documents on Level 2 Attestations and Level 2 Certifications by clicking on the links provided here.
You will want to ensure that you have the correct information collected before you start the submission process. The following fields are required when using the STAR Submission form to submit your Level 1 self assessment to the STAR Registry:
- Backup PoC name
- Backup PoC email address
- Phone Number
- The fully completed primary document (The CAIQ 4.0.2 which can be downloaded here.)
In addition to these, you will need to know the name of your Organization and Cloud Service that is to be listed on your STAR Registry listing, the URL of the Organization and Cloud Service and the Description of the Organization and Cloud Service.
If you are an Auditor submitting the CAIQ on behalf of a client, then you will use the client's information, and not your Auditing company's information.
More information about the required fields are listed at the end of this documentation. If you encounter any issues, you will want to make sure to check that section.
Pro Tip: To determine if you have an existing service on the STAR Registry you can look up your listing on the STAR Registry to see the Organization and Cloud Service. This can help you to determine the correct information to list in the following steps, however, if you have had an unsuccessful listing, the Organization and Cloud service may be already available to select on the confirmation step (below) but not visible yet in the registry. Please visit our STAR Registry to check your listing.
Instructions for submitting the Level 1 Self-Assessment
Step 1. Fill out the STAR Submission form
Fill out the STAR Submission form with your information. Select “SelfAssessment” from the Type of Registry Entry drop-down menu. You will need to attach the completed CAIQ Document as the primary document of your submission.
Pro Tip: All self-assessments must be submitted in the original format that Cloud Security Alliance provides. Do not add or remove any columns, rows, or sheets. The primary document must be submitted with the .xlsx extension. All responses in the "CSP CAIQ Answer" column are mandatory. Unless the corresponding "CSP CAIQ Answer" is NA, all "SSRM Control Ownership" responses are mandatory.
Step 2. Find the confirmation email
A confirmation notice will come from the email firstname.lastname@example.org. Check your email for the confirmation notice and follow the link to confirm your submission. If your confirmation email doesn’t arrive within 30 minutes and you are unable to find it in your spam folder, then reach out to us at email@example.com or start a ticket in this help forum and our support team will assist you with the confirmation step.
Step 3. Select your Organization
On the confirmation page you will find your existing Organization listed on the Dropdown menu of available organizations. If this is the first time submitting this Organization, then it won’t be listed in the dropdown menu. In that case you can create it with the “Create New Organization” button.
If your organization already exists in the registry you will select it from the dropdown menu. Otherwise you will click the orange “Create New Organization” button.
Pro Tip: You will want to make sure to check for your Organization carefully from the dropdown list so that you don’t duplicate your listing. New organizations will be listed exactly as they are submitted by you here, so be careful to select your existing Organization from the menu so as not to duplicate your listing by adding a new one with a different spelling or format. If you need to make changes to your organization information, contact firstname.lastname@example.org.
Step 4. Select your Cloud Service
After you have created or selected your Organization, you will be presented with another page to select or create your Cloud Service. Your Cloud Service listing should be exactly as your user-end Cloud Service is given to the consumers of your service. The listing here should be selected from the dropdown menu. If your cloud service doesn’t exist in the STAR Registry yet, click the Create New Cloud Service button to add your Cloud Service information. This should be your cloud service and not the service provider that you use to host your service on.
Pro Tip: You will want to make sure to check for your Cloud Service carefully from the dropdown list so that you don’t duplicate your listing. New Cloud Services will be listed exactly as they are submitted by you here, so be careful to select your existing Cloud Service from the menu so as not to duplicate your listing by adding a new one with a different spelling or formatting. If you need to make changes to your Cloud Service information, contact email@example.com.
Step 5. Await your Listing to be posted to the STAR Registry
Your STAR Registry entry will often be posted within one business day, however in some cases it can take up to 5 business days for our team to manually review a listing and get it posted for you. If you have any questions about this process please feel free to contact us by the support link or to drop an email to firstname.lastname@example.org for more information.
More information about the form field information
The following information is intended to help you understand the correct formatting and applicable data to be filled in when submitting to the STAR Registry.
Please be aware that the personal data you submit to the STAR Registry is considered private and we will not share this data with anyone outside CSA. Your Company Information, including your Organization Name, URL and Description, and your Cloud service Name, URL and Description as well as your CAIQ document and supporting document as listed below are meant to be listed publicly on the STAR Registry and your use of the STAR submission explicitly includes permission to list that information on the Registry. All other information is considered private.
Name: This should be your name as you are recognized in the Organization. This information is private and will not be shared publicly.
Email: You will need to provide your company email for this field. The email needs to be a legitimate email that only belongs to one person and should not be an abstracted email. Only use lower-case letters in your email. Please note that the domain of your email and the company domain you are submitting for must match or your submission may be rejected. The email you use for this will only be used to send notices about the STAR registry and will not be shared with any third party. This is kept private for your security.
Type of Registry Entry: Select the type of submission you are making (i.e. Self-Assessment).
Specification: Select the specification for your type of registry entry. (CAIQ)
Service Category: This is helpful when users are looking for your listing on the STAR Registry and it is required to fill out this field.
About your CAIQ Self-Assessment Document:
A CAIQ is the questionnaire associated with the Cloud Control Matrix. The CAIQ provides a set of questions to determine if the CCM controls have been implemented. You can find out more about the CCM here.
Troubleshooting tips for submitting your CAIQ:
If your Level 1 Self-Assessment is rejected for any reason related to the formatting of the CAIQ, you can use this list to troubleshoot the problem.
- All CAIQ documents must be submitted in the original format that Cloud Security Alliance provides.
- CCM self-assessments will not be accepted.
- Do not add or remove any columns or rows. Do not rename tabs or change the arrangement of any elements.
- The primary document must be submitted with the .xlsx extension.
- The only changes allowed are to select from the existing drop-down items on columns C & D, THESE ARE MANDATORY FIELDS. If any control is missing data in columns C and/or D, your submission will be rejected. Fill in the items on columns E and F (recommended, especially for any control with “No” or “N/A” but optional).
- If you would like to submit an assessment in a modified PDF format, you may do so as a supporting document in addition to the required XLSX primary document.
- Only the CAIQ is accepted as a primary document for the Level 1 Self-Assessment submissions.
- Note: The information reported in your CAIQ must be truthful and not misleading.
First STAR Registry Submission:
Email Validation: Once you have submitted the primary submission form, you will receive an email to confirm your email address. By confirming your email, you agree to the creation of a STAR user account with the name and email provided. Once confirmed, you will be redirected to an organization selection form. If you choose to reject this email, your entry will not be submitted, and the account will not be created.
Create/Select Organization: You will notice a drop-down menu from which you can select your organization. If you have never submitted to our registry before, it is likely that your organization will not be listed on the drop-down. Select the option to create a new organization.
Please completely fill the organization form. The description should be a brief summary of your organization itself (max 300 characters). For example:
“The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, certification, events and products.”
Service Selection: Once you have created and/or selected your organization, you will be redirected to a cloud service selection form. Please completely fill the cloud service form. The name can be the same as your company, but if you have a specific name for the service, we recommend using this instead. The description should be a brief summary of the cloud service itself. For example, for CSA’s STARWatch:
“Cloud Security Alliance STARWatch is a Software as a Service (SaaS) application to help organizations manage compliance with CSA STAR (Security, Trust and Assurance Registry) requirements. STARWatch delivers the content of the Cloud Controls Matrix (CCM) and Consensus Assessments Initiative Questionnaire (CAIQ) in a database format, enabling users to manage compliance of cloud services with CSA practices.”
Organization Confirmation: You must complete all of these steps in order to submit your entry. Since this is your first submission to our registry, you will be automatically added to your Organization’s employment record, allowing you to submit for your Organization.
Please see the instructions for a Level 1 Submission: CAIQ Self-Assessment. The process is identical but should be repeated monthly rather than annually
Please take a moment to let us know if this article was useful below, and feel free to sign in to ask questions. You can also email us at email@example.com.
Article is closed for comments.