Automated Governance is Within Reach.
Technology-agnostic security controls for public and private cloud.
The Problem
Financial institutions are rapidly adopting public cloud infrastructure, yet today's cloud platforms were not designed with the specific requirements of financial services in mind.
The Solution: FINOS Common Cloud Controls
FINOS CCC is an open industry standard that defines a consistent set of security, resiliency, and compliance controls for public cloud services, written once and usable across every major cloud provider.
Who Is It For?
Financial institutions
Reduce compliance costs, close security gaps, and avoid vendor lock-in. Stop solving the same problems independently and build on a standard your peers helped create.
Cloud service providers
Certify once against a single, authoritative industry standard instead of meeting a different bar set by every customer.
Regulators
Map your jurisdiction's requirements to a common framework rather than enforcing bespoke interpretations of cloud risk.
Technology teams
Use published control catalogs and open-source validators to build and test compliant infrastructure from day one.
CCC is built openly, governed collaboratively, and backed by leading financial institutions, cloud providers, and technology organisations from across the industry. It lives on GitHub and welcomes contributors.
Level Up Your Process
Achieving fully automated governance requires moving from static compliance documents to executable design requirements. Here is how your team can leverage the CCC project to build a robust GRC Engineering pipeline.
Import the Core Catalog
Pull in the FINOS CCC Core Catalog — a foundational baseline of reusable, technology-agnostic threat and control definitions. A shared, authoritative starting point your whole team can build from.
Build Technology-Specific Catalogs
Import core definitions into your organization's environments, or extend our technology-specific catalogs to fit your needs. Assess capabilities, map threats, and applying precise mitigation controls where they matter.
Automate Tests Using Assessment Requirements
Every control ships with tightly scoped, verifiable assessment requirements. Translate them into scans, code analyses, or behavioral checks — wired into your pipelines as gates that block non-compliant resources before production.
Join the Community
Common Cloud Controls is an open, community-driven project. There are many ways to get involved — pick the one that works best for you.
Contribute on GitHub
Browse open issues, submit pull requests, and help shape the catalog. All contributions — big or small — are welcome.
View Repository →Join the Slack Channel
Connect with contributors and maintainers in real time. Ask questions, share ideas, and stay up to date with project news.
Open Slack →Attend Working Group Meetings
Join our regular open calls to discuss roadmap priorities, review proposals, and collaborate with the broader community.
See Meeting Schedule →Subscribe to Updates
Follow FINOS to receive announcements about new releases, events, and community highlights straight to your inbox.
Learn More at FINOS →Steering Committee
