Marc Krisjanous is one of the first CCSS Auditors and assisted C4 in the development of their auditors program.
The Cryptocurrency Security Standard (CCSS) is an open information security standard which focuses on the application of information security controls for information systems that make use of cryptocurrencies including exchanges, custodial services, and cryptocurrency storage solutions. I have written a detailed article on CCSS here.
To become CCSS certified, an entity must engage a CCSS Auditor (CCSSA) who will conduct an in-depth audit of the people, process and technology components that make up the cryptocurrency functions that the entity requires to be CCSS certified.
There are three certification paths for CCSS:
- Self Custody
- CCSS Full System Certified
- CCSS Qualified Service Provider
Self Custody Designation
The self custody designation is for
“systems that hold all keys to the system that controls the entity’s own funds“.
As an example, a shop that has an eCommerce website that accepts cryptocurrency for the products that the entity sells.
If an entity believes they meet the CCSS Self Custody designation the entity is still required to engage a CCSSA to audit the entities environment. If the entity is using a service provider who provides products or services that are part of the entities systems providing cryptocurrency functions or that could impact the security of systems that provide cryptocurrency functions, then the entity will need to be certified for a Full System certification instead of the Self Custody certification.
Qualified Service Provider (QSP) Designation
A CCSS Qualified Service Provider (QSP) is an entity that does not meet all applicable CCSS requirements in totality because there will be some requirements that entities using the service will be either wholly or partially responsible for. Because of this, the QSP can only meet the requirements that they (1) have the ability to control, and (2) are part of the service that they provide.
Take the example of “Assessed Entity A” who provides a service where they participate in signing a customer’s transaction by being in control of one or more of the signing keys used to sign a transaction. The customers, in this case “Bob” and “Alice” control the other keys.
This is a common strategy sometimes referred to as “partial custody” where the signing keys are split between two or more entities and is commonly used with multi-sig wallets. CCSS requires that all signing keys are protected while at-rest, in transmission and when in use.
Because Bob and Alice are responsible for the keys when they are at Entity B, Assessed Entity A has no ability to control how they are secured at rest or when they are being used since they are within Bob and Alice’s environment. Because of this, Assessed Entity A cannot meet the applicable requirements for controlling the signing keys in totality since some of the signing keys are outside of their control.
Assessed Entity A may be able to provide assurance to their CCSSA via evidence that the signing keys under their control meet the applicable CCSS requirements. But they will not be able to demonstrate this assurance for the keys managed by Entity B or any other entity that uses their service.
In this scenario, Assessed Entity A would be designated a “service provider” and if they successfully complete the audit process, they will become a “CCSS Qualified Service Provider”.
CCSS requires that the entire system providing cryptocurrency functions is audited and all applicable CCSS requirements are met in totality. Because of the requirement to demonstrate that the requirement is met in totality, Assessed Entity A could not meet the CCSS requirement for protecting all signing keys because they did not have full control over all the signing keys in use – these keys are the responsibility of Bob and Alice.
While our example only covered one CCSS requirement – the stipulation of meeting a requirement in totality applies to all CCSS requirements.
There are many benefits to becoming a CCSS Qualified Service Provider for entities that provide products and services such as wallet systems, partial and full custody services, funds management, payment gateways or trading services that are used by exchanges, financial institutions, eCommerce, and we will cover some of the benefits later in the article.
CCSS Full System Certified
This leads us to the CCSS Full System Certified designation which is an entity that can meet all CCSS applicable requirements in totality, but also using a service provider to provide the cryptocurrency functions. This is the key distinction between a Self Custody certified entity and a Full System certified entity. The Self Custody entity controls all keys.
Continuing with our example of the signing keys, it’s “simple” when a single organization holds all the keys so it’s possible to get assurance that the requirement has been met in totality.
Continuing our example with the partial custody service – an entity (referred to in this article as the “Assessed Entity B”) that can provide assurance to the CCSSA that they control all signing keys can become a CCSS Full System Certified entity.
It’s important to note however that to become a CCSS Full System Certified entity all applicable CCSS requirements must be met in totality. Remember, we are just using one CCSS requirement as an example for this article.
Impact of using a Service Provider who is not a CCSS QSP
But often there are other parties involved which makes showing the requirement has been met in totality a bigger challenge. If your service provider is not CCSS QSP certified, then the scope of your CCSS audit has now potentially doubled. In this case, let’s look at what happens when Entity B works with a service provider who is not a CCSS QSP – Entity C.
If Entity B wants to become CCSS certified, to show the requirements are met in totality, Entity C needs to become part of the CCSS audit because they do not have a CCSS QSP certification that Assessed Entity B can rely on. Every time one of Entity C’s customers’ needs to show the requirements are met in totality Entity C will need to be part of their audit.
Benefits of using a CCSS QSP for Your Own CCSS Audit
However, there is another way that an entity can become a CCSS Full System Certified entity without themselves having to meet all application CCSS requirements in totality and including any of their service providers that are part of their trusted environment and that is to use a CCSS Qualified Service Provider.
Going back to our partial custody service example, if Assessed Entity B uses a CCSS Qualified Service Provider (Assessed Entity A from earlier) to provide the partial custody service and that the CCSS Qualified Service Provider has met the applicable CCSS requirement for protecting signing keys then all Assessed Entity B must do is prove to the CCSSA auditing their systems that they meet the CCSS requirement for protecting keys that they control. The CCSSA will ask Assessed Entity B for the CCSS Qualified Service Providers Summary Report on Compliance (SRoC) as evidence that their systems have been audited by another CCSSA and certified.
So, Assessed Entity B could become a CCSS Full System Certified entity by firstly using a CCSS Qualified Service Provider (Assessed Entity A) who met the applicable CCSS requirement for protecting signing keys for the keys they will managed for the partial custody service and that Assessed Entity B meets the same requirement for the signing keys they managed. Through this combination of using a CCSS Qualified Service Provider and meeting the requirement themselves the CCSS requirement is met in totality, be-it via two separate entities.
The Benefits of using a CCSS Qualified Service Provider
So, in summary, an entity can utilize a CCSS Qualified Service Provider to reduce their own audit scope for CCSS.
However, if the entity wanting to gain CCSS Full System Certified status uses an entity to provide services that are part of the systems which provide cryptocurrency functions or impacts the security of the systems which provide cryptocurrency functions, and that entity is not a CCSS Qualified Service Provider then both entities must be audited by the CCSSA to ensure all CCSS requirements are met in totality.
An entity who is a CCSS Qualified Service Provider can really benefit their customers by reducing their customers CCSS audit effort since the CCSS Qualified Service Provider would have already met a reasonable amount of the applicable requirements in their audit, depending on what products and services the customer is using from the CCSS Qualified Service Provider.
Need Help?
Always make sure that you do your due diligence when selecting a CCSSA for your audit. You can read our tips about selecting a CCSSA.
Or contact us if you’d like to learn more about how we can help you with CCSS.