CSA STAR

CSA STAR is the Cloud Security Alliance's registry and certification program that documents cloud provider security posture, with self-assessment (Level 1) through third-party audit (Level 2) tiers.

The CSA STAR program

The Cloud Security Alliance Security, Trust, Assurance, and Risk (STAR) program is a public registry of cloud service provider security postures. Level 1 is a self-assessment using the Consensus Assessments Initiative Questionnaire (CAIQ) and is free to publish. Level 2 is a third-party audit, either STAR Certification (which extends an ISO 27001 audit with the CSA Cloud Controls Matrix) or STAR Attestation (which extends a SOC 2 audit with the CCM). Level 3 (continuous auditing) exists but is rarely used in production.

CAIQ as a procurement shortcut

The CAIQ is a 250-question Yes/No/N/A questionnaire that maps to the Cloud Controls Matrix. Many enterprise buyers ask vendors to complete the CAIQ as part of vendor due diligence; if the vendor has already published a Level 1 self-assessment on the STAR registry, that satisfies the ask without bespoke effort. STAR Level 2 (audited) is stronger evidence and is increasingly expected from enterprise-focused vendors.

AI vendor procurement implications

CSA STAR is cloud-security-focused, not AI-specific, but the Cloud Controls Matrix covers many of the same control families that show up in AI procurement (identity, encryption, logging, vulnerability management, incident response). For an AI vendor, a STAR Level 2 attestation that builds on SOC 2 is the strongest form. The CSA also publishes AI-specific guidance (AI Controls Matrix) that is becoming a reference point for AI-specific procurement questionnaires.