Control Correlation Identifiers (CCI) Explained
The CCIs in frameworks are used to specify how a control is to be met. Sometimes there are multiple CCIs for a control that break down the requirements into smaller pices that are more easiliy tracked. When we generate compliance of a framework based on the data shown in OpenRMF® Professional it is computed at the CCI level. Then rolled up to the controls they correspond to.
All frameworks within OpenRMF® Professional contain one or more controls. And each of those controls contain one or more CCIs as well.
CCIs are used in checklists within the application to link a vulnerability Id (e.g. V-223445) to a control for compliance generation and tracking as well. CCIs are also used for specific compliance statements to link that statement to the control or subcontrol they match. And CCIs link inherited controls and their source information as well.
Default CCIs
There are a lot of the CCIs included in OpenRMF® Professional by default from the https://public.cyber.mil/ website that show a breakdown of CCIs per control based on the NIST 800-53 list of controls for revision 4 and revision 5.
Note that default CCIs within OpenRMF® Professional cannot be edited or deleted.
The CCIs are used with the default frameworks and framework levels by linking to the controls within those frameworks. They also can be used in other frameworks and framework/level combinations that you add to include those CCIs. You can use and reuse default CCIs for those frameworks and/or add your own custom CCIs you add as well. These can be from defined frameworks (HIPAA, HITRUST, IEC 623443, etc.) or can be custom controls for you and your organization.
A CCI can be used with any control when building your own framework or uploading one from files as well. You are not required to only use the default CCIs with default controls when building or adding your own framework.
Adding a CCI
To add a CCI, click the Create CCI button on the CCI listing page.
Finally you can also add 1 or more tags and a description to ensure people understand the control use. Then click the Save button.
Once added, that CCI can be used in frameworks across the application for any framework where you can add or edit (non-default).
You also can add CCI by uploading an XLSX file in the proper format. You can do this via the Upload menu in the Frameworks area. Make sure you choose the proper file to upload. You can download a Sample CCI XLSX as a starting point for uploading a spreadsheet or CSV file. You also can use data for this shown in our public GitHub repo linked off our Soteria Software website as well.
The JSON structure for the control is listed below:
[
{
"cciId": "CCI-100020",
"cciContributor": "My Company",
"cciDefinition": "Official Definition",
"cciDescription": "Description for explanation",
"cciReferences": "NIST 800-53 revision 5 AU-10",
"cciType": [
"process"
],
"cciPublishDate": "09/05/2025",
"cciTags": []
},
{
"cciId": "CCI-100021",
"cciContributor": "My Company",
"cciDefinition": "Official Definition",
"cciDescription": "Description for explanation",
"cciReferences": "NIST 800-53 revision 5 PM-16",
"cciType": [
"process"
],
"cciPublishDate": "09/05/2025",
"cciTags": []
}
]
Editing a CCI
To edit a CCI, click the ... menu in the listing of non-default controls and select Edit from the menu. Enter your updates on the CCI number, contributor, date, types, definition and more as required. Then click the Save button. When you save the data, all corresponding information such as the CCI Number and definition is updated throughout the solution wherever it is currently being used.
Deleting a CCI
To delete a CCI, click the ... menu in the listing of non-default controls and select Delete from the menu. A warning page shows that when the CCI is deleted any combination within the application on any framework and/or framework level is also removed. You must click the Delete CCI button to actual delete the data.
This is a hard delete and cannot be undone. You can always re-create or reupload the files that generated the non-default CCI though.
