+2 Criteria, Additional Criteria and Supplementary Information
---+SOV-1 Strategic Sovereignty
------+SOV-1-01 Jurisdiction
---------+SOV-1-01-C1
---------+SOV-1-01-C2
---------+SOV-1-01-SI
------+SOV-1-02 Registered Office
---------+SOV-1-02-C1
---------+SOV-1-02-C2
---------+SOV-1-02-SI
------+SOV-1-03 CSP Effective Control
---------+SOV-1-03-C1
---------+SOV-1-03-C2
---------+SOV-1-03-SI
------+SOV-1-04 CSP Control Change
---------+SOV-1-04-C
---+SOV-2 Legal & Jurisdictional Sovereignty
------+SOV-2-01 Extraterritorial Exposure
---------+SOV-2-01-C
------+SOV-2-02 Audit Rights
---------+SOV-2-02-C1
---------+SOV-2-02-C2
---------+SOV-2-02-SI
------+SOV-2-03 State of Defense Takeover
---------+SOV-2-03-C1
---------+SOV-2-03-C2
---------+SOV-2-03-SI
---+SOV-3 Data Sovereignty
------+SOV-3-01 Data Residence
---------+SOV-3-01-C1
---------+SOV-3-01-C2
---------+SOV-3-01-C3
---------+SOV-3-01-C4
---------+SOV-3-01-C5
---------+SOV-3-01-SI
------+SOV-3-02 External Key Management
---------+SOV-3-02-C
---------+SOV-3-02-AC
---------+SOV-3-02-SI
------+SOV-3-03 External Identity Provider
---------+SOV-3-03-C
---------+SOV-3-03-AC1
---------+SOV-3-03-AC2
---------+SOV-3-03-AC3
------+SOV-3-04 Logging and Monitoring
---------+SOV-3-04-C
---------+SOV-3-04-AC1
---------+SOV-3-04-AC2
------+SOV-3-05 Client-Side Encryption
---------+SOV-3-05-C
---------+SOV-3-05-SI
---+SOV-4 Operational Sovereignty
------+SOV-4-01 Operating Personnel
---------+SOV-4-01-C1
---------+SOV-4-01-C2
---------+SOV-4-01-C3
------+SOV-4-02 Remote Work
---------+SOV-4-02-C1
---------+SOV-4-02-C2
------+SOV-4-03 Redundant connectivity providers
---------+SOV-4-03-C
---------+SOV-4-03-AC
------+SOV-4-04 SOC
---------+SOV-4-04-C1
---------+SOV-4-04-C2
------+SOV-4-05 Ingress Data Control
---------+SOV-4-05-C
---------+SOV-4-05-AC1
---------+SOV-4-05-AC2
---------+SOV-4-05-SI
------+SOV-4-06 Update threat analysis
---------+SOV-4-06-C
------+SOV-4-07 Data exchange monitoring
---------+SOV-4-07-C
---------+SOV-4-07-SI
------+SOV-4-08 Data exchange gateways
---------+SOV-4-08-C
---------+SOV-4-08-AC
---------+SOV-4-08-SI
------+SOV-4-09 Disconnect
---------+SOV-4-09-C
---------+SOV-4-09-AC
---------+SOV-4-09-SI
------+SOV-4-10 Reconnect
---------+SOV-4-10-C
---+SOV-5 Supply Chain Sovereignty
------+SOV-5-01 Software Dependencies
---------+SOV-5-01-C
---------+SOV-5-01-AC
---------+SOV-5-01-SI
------+SOV-5-02 Hardware Dependencies
---------+SOV-5-02-C
---------+SOV-5-02-AC
---------+SOV-5-02-SI
------+SOV-5-03 External Service Dependencies
---------+SOV-5-03-C
---------+SOV-5-03-AC
---------+SOV-5-03-SI
------+SOV-5-04 Export Restriction
---------+SOV-5-04-C
------+SOV-5-05 Capacity Management
---------+SOV-5-05-C1
---------+SOV-5-05-C2
---+SOV-6 Technology Sovereignty
------+SOV-6-01 Source Code Availability
---------+SOV-6-01-C
------+SOV-6-02 Continuous Service Delivery
---------+SOV-6-02-C
---------+SOV-6-02-AC
------+SOV-6-03 Software Development
---------+SOV-6-03-C

1. Overview

2 Criteria, Additional Criteria and Supplementary Information

2 Criteria, Additional Criteria and Supplementary Information

Summary	Standard
SOV-1 Strategic Sovereignty	SOV-1 Strategic Sovereignty
SOV-2 Legal & Jurisdictional Sovereignty	SOV-2 Legal & Jurisdictional Sovereignty
SOV-3 Data Sovereignty	SOV-3 Data Sovereignty
SOV-4 Operational Sovereignty	SOV-4 Operational Sovereignty
SOV-5 Supply Chain Sovereignty	SOV-5 Supply Chain Sovereignty
SOV-6 Technology Sovereignty	SOV-6 Technology Sovereignty

1.1 References

1.2 Identified Requirements

1.2 Related Regulation

2. Identified Requirements

Requirements
Source	Requirement

3. Related Regulations

Regulations
Source	Regulation

BSI C3A - Criteria enabling Cloud Computing Autonomy -
Copyright by Bundesamt für Sicherheit in der Informationstechnik

C3A - Criteria enabling Cloud Computing Autonomy

Published under Creative-Commons-License CC-BY-ND 4.0 International.

Impressum