How do third parties or service providers affect the scope of the audit?

Third parties are not automatically out of scope. If they touch key material or affect how it’s managed, they are part of the system.

The scope of a CCSS audit is defined by the CCSS Trusted Environment. That includes any people, processes, or technology that can impact the security of key material. If a provider is involved in key material generation, storage, access, usage, or could impact the key material in any way, they are in scope.

This often includes custodians, wallet providers, cloud infrastructure, signing services (multi-sig or MPC), and managed security or DevOps providers.

Using a third party does not shift responsibility. The system being audited is still responsible for meeting CCSS requirements.

In practice, this means either the third party is in scope and their controls are assessed, or the system relies on a Qualified Service Provider (QSP), where responsibilities are clearly defined.

If a third party is in scope, there needs to be visibility into how their controls work. Without that, it becomes difficult to show requirements are met.

Using a well-known provider is not enough on its own. What matters is whether the controls can be understood, evidenced, and audited as part of the system.

Can one entity have multiple systems audited under CCSS?

Yes.

A single entity can have multiple systems, and each system can be scoped and audited independently.

For example, an organization might have:

A custody platform
A trading or exchange system
An internal treasury system

Each of these could be treated as a separate system if the key management processes, infrastructure, or teams differ.

Each system would:

Define its own Trusted Environment
Be assessed against CCSS requirements
Receive its own certification level

This allows organizations to certify specific parts of their environment without needing to include everything under one scope.

How is the scope of a system under CCSS defined?

Scope is the boundary of what’s being audited.
Anything that interacts with key material is part of the scope of a CCSS trusted environemnt.
In practice, scoping means identifying:
Where keys are generated, stored, accessed, and used
Who can interact with them
What systems or services are involved
During an audit, the scope often gets refined as the auditor asks more detailed questions and learns how things actually work in the system being audited.
A good rule:
If it could impact the key material, it’s in scope.

What is a CCSS Trusted Environment?

The CCSS Trusted Environment is everything that can impact the security of key material. This includes people, processes, technology, systems, infrastructure, and any third parties involved in key material generation, usage, storage, access, etc.

If a person or systems can approve a transaction, access a key, or influence how key material is handled, they are part of the CCSS Trusted Environment. Same goes for vendors, cloud providers, or external services that play a role.

In practice, defining the CCSS Trusted Environment is about answering:
Who or what could compromise the key material?