The appropriate CCSS certification level depends on the entity and system’s risk profile, risk tolerance, custody model, regulatory obligations, and the value and complexity of the digital assets the system protects.
CCSS defines three certification levels, with each successive level building on the controls required by the previous one. Higher levels require additional security controls, greater separation of duties, and more robust operational processes.
All three certification levels represent a high standard of security. Level 1 is not a “basic” or “entry-level” certification—it requires a comprehensive set of security controls and provides a strong foundation for protecting digital asset systems. Levels 2 and 3 build upon that foundation with additional controls intended for organizations with greater operational complexity or higher assurance requirements.
There is no universal “best” level. A smaller organization managing limited assets may determine that Level 1 provides an appropriate level of assurance, while a large custodian or exchange responsible for significant customer assets may choose to pursue Level 2 or Level 3 based on its risk tolerance and business requirements.
Many entities begin by performing a gap assessment to understand how their existing controls align with each certification level. This helps identify the effort required to achieve a particular level and determine which target is both practical and appropriate.
It’s also important to remember that a system’s overall certification level is determined by its lowest-scoring aspect. To achieve a given certification level, the system must meet all applicable requirements for that level across every aspect of the standard.