STANDARDS

Our CryptoCurrency Security Standard (CCSS) Auditor Exam is now available and audits are underway. Learn more about the CCSS and how to get your system(s) certified.

FAQs

How do I renew my certification?

I love what you're doing and want to help. How can I get started?

I just completed my exam and saw two questions that seemed similar. Why?

What happens if I fail my exam?

I just completed my exam and answered a few questions incorrectly. Can I see these answers?

What is the CCSS?

CCSS is a standard for securing cryptocurrency systems

CryptoCurrency Security Standard (CCSS) is a set of requirements for all information systems that make use of cryptocurrencies, including exchanges, web applications, and cryptocurrency storage solutions. By standardizing the techniques and methodologies used by systems around the globe, end-users will be able to easily make educated decisions about which products and services to use and with which companies they wish to align.

CCSS is designed to complement existing information security standards (i.e. ISO 27001:2013) by introducing guidance for security best practices with respect to cryptocurrencies such as Bitcoin. CCSS is not designed to substitute or replace these standards; in fact, following the CCSS to the letter while ignoring standards like ISO 27001:2013 will likely lead to compromise. CCSS is a cryptocurrency standard that augments standard information security practices. As with any standard, knowledgeable and experienced security professionals and/or auditors are necessary when implementing any information system to ensure coverage of all classes of attack as well as the appropriate handling of all potential risks.

There are different types of cryptocurrency systems, and an Entity can have multiple types of systems. Entities are not certified, but rather systems are certified. Systems can be certified as CCSS Level 1, 2, or 3 with increased security as the levels increase. Systems fall into 3 buckets. Self-Custody, Qualified Service Provider (QSP), and Full System.

A self-custody system has sole control of the private keys that controls that entity’s own funds. Self Custody systems do not have control over customer funds.

A CCSS Qualified Service Provider (QSP) is a system that does not meet all applicable CCSS requirements in totality because there will be some requirements that the system using the service will be either wholly or partially responsible for. Because of this, the QSP can only meet the requirements that they (1) have the ability to control, and (2) are part of the service that they provide.

A CCSS Full System is a system that meets all applicable CCSS requirements in totality. In situations where a system includes a QSP system as part of their system, some CCSS requirements may be met by the QSP system, as determined by the Cryptocurrency Security Standard Auditor (CCSSA).

Documents

Standard (Written)
Standard (Matrix)
Auditor Guide
Glossary
Appendix 1

Our CryptoCurrency Security Standard (CCSS) Auditor Exam is now ready! Learn more about the exam here.

How to start a CCSS Audit

Certified CCSS Systems have been independently evaluated and audited against 31 aspect controls of the CryptoCurrency Security Standard. Systems that earn Level 1, Level 2, or Level 3 designations have proven they are robust, resilient, and rooted in best practices. Learn more about the CCSS and how to get your system(s) certified below.

The first step to getting audited is to select a CCSSA. You can search our currently certified CCSSAs here. Entities then contact and negotiate with the CCSSA of their choosing. Please note that while these individuals have proven their knowledge of the CCSS, C4 does not endorse specific CCSSAs. It is imperative that entities follow best practices for selecting an auditor.

All CCSS audits cover a period of time prior to audit completion and will test the operating effectiveness of the control over this period of time. Audits are designed to be performed at least annually and cover the preceding 12 month period. All audits performed by CCSSAs are reviewed by a CCSSA-Peer Reviewer before C4 certifies an entity. Any dispute arising out of the peer review process shall be arbitrated by the CCSS Steering Committee.

The CCSSA is responsible for ensuring all data related to the audit is transmitted and stored in a secure manner for the duration of the Certificate of Compliance (CoC) and as legally required in the jurisdiction of the audit. C4 will not view documentation of evidence outside the Summary Report on Compliance (SRoC). The CCSS steering committee shall review evidentiary documentation in the case of a peer review dispute.

*Text version of this image can be found in the Auditor’s Guide.

What is a CryptoCurrency Security Standard Auditor (CCSSA)?

A CryptoCurrency Security Standard Auditor is an expert in the CCSS. CCSSAs are able to apply the CCSS standard to any information system that uses cryptocurrencies, calculating a grade for the system according to the CCSS.

CCSSAs must avoid any potential conflict of interest. This may include current or previous employment, familial relationships, financial interest (such as tokens or equity held), or any other matters that may constitute a conflict of interest.

Learn how to become a CCSSA here.

What is the cost of a CCSS audit?

Audit fees will be determined between the CCSSA and the entity. It is the responsibility of the CCSSA to ensure sufficient time to complete the audit is reflected in the agreed upon fees.

Audit fees must also include the Listing Fee and the CCSSA-PR’s fee, as determined between the CCSSA and the CCSSA-PR. The CCSSA-PR’s fee will be forwarded to the CCSSA-PR by the CCSSA. C4 will send an invoice for the Listing Fee to the CCSSA after approving the SRoC.

The listing fee, paid by the audited system’s entity to the CCSSA, is based on Table 1.

When multiple systems (up to 3) are covered in the same audit, C4 only charges the listing fee of the most expensive system . When auditing 4-6 systems, C4 only charge the listing fee of the two most expensive system, and so on. If you have any questions, please reach out to info@cryptoconsortium.org

Who manages the CCSS?

The standard is maintained by the CCSS Steering Committee. The committee's mission is to ensure the standard continues to remain up-to-date with industry best practices and remain neutral. Current CCSS Steering Committee members are (in alphabetical order): S. Dirk Anderson, Andreas M. Antonopoulos, Petri Basson, Noah Buxton, Jameson Lopp, Joshua McDougall, Michael Perklin, and Ron Stoner.

S. Dirk Anderson

COO at SALT Blockchain Inc.

Dirk has worked with information security, privacy, and cryptography for a couple of decades so it was just natural that he would wind up in the world of crypto currencies and blockchains. He is currently the Chief Information Officer at SALT Blockchain the pioneer of crypto-backed lending. Before SALT he spent a decade or so helping to build Coalfire, now the largest global dedicated cybersecurity consultancy where he held positions as the VP of Enterprise Risk & Compliance, VP of Threat Intelligence, and Regional VP of Professional Services for the Central US. Prior to all that he was a founder and Principle Analyst at Leviathan Security, served as the Chief Security Architect for ConQwest (now Towerwall), and as the Senior Manager of Global Security Architecture at Global Crossing, Ltd. His experience extends through a variety of industry verticals including retail, banking, telecommunications, investment, energy, higher education, government organizations, and third-party service providers such as hosting and cloud services. Dirk also teaches and speaks globally on the topics he’s passionate about contributing to the Certified Bitcoin Professional (CBP) training course on Udemy and Thinkific, teaching multiple session at the Blockchain Training Conference, and the Rocky Mountain Internet Security Conference, as well as sitting on panels at events including the London Blockchain Summit and Belgrade Venture Forum. He is also a contributing author to publications from the original SANS Incident Handling Step-by-Step guide to Security 2020: Reduce Security Risks This Decade. At C4 he serves on both the CBP and CCSSA committees.

Petri Basson

Founder - HASH consulting, CCSS Committee Chair

Petri has a background in finance and IT. He holds qualifications as a Chartered Accountant (CA(SA)) as well as Certified Information System Auditor (CISA), Certified Bitcoin Professional (CBP) and Accredited Director (Acc. Dir). He helped to set up KPMG in the Cayman Islands' Digital Asset practice and has experience working with a wide range of clients in the digital asset space.

Noah Buxton

Partner at The Network Firm

Noah has more than 15 years of audit, legal, IT and regulatory compliance experience and has served crypto clients since 2016. Noah is Co-Founder & CEO of The Network Firm, the only 100% digital assets-focused CPA firm in the US. While Noah advises blockchain and virtual currency clients on myriad industry-specific issues, his expertise lies in IT & Security matters as well as financial assurance and reporting for Exchanges, Stablecoins, and Token Issuers.

Marc Krisjanous

Senior Security Consultant at Confide

Marc has over 18 years’ experience in the IT security sector in a variety of roles including IT Security Architect, IT Service Manager and as the Security Operations Centre Manager for a critical New Zealand infrastructure entity. As a Senior Security Consultant at Confide, Marc is involved with many of our large customers that have complex payment environments. Marc is a Qualified Security Assessor (QSA) for PCI DSS, he holds CISSP and ISO27001 Lead Auditor certifications, and has a number of blockchain and cryptocurrency based certifications. As well as being a certified CryptoCurrency Security Standard Auditor (CCSSA).

Jameson Lopp

Founder and CTO - Casa

Jameson has been building multisig Bitcoin wallets since 2015. He is the founder and CTO of Casa and also founded Mensa's Bitcoin Special Interest Group, the Triangle Bitcoin & Business meetup, and several open source Bitcoin projects. He enjoys researching various aspects of the ecosystem and giving presentations about what he has learned the hard way while trying to write robust software that can withstand both adversaries and unsophisticated users.

Joshua McDougall

President, Slow Ninja

Researcher and Educator. Currently building games in the Cosmos for the sentient.

Michael Perklin

Chairman of the Board, CryptoCurrency Certification Consortium (C4)

Michael Perklin is an information security professional who has been working with bitcoin, blockchains, and decentralized systems since 2010. He has provided numerous contributions to the industry including founding the CryptoCurrency Certification Consortium (C4), securing the launch of Ethereum's ICO, providing expert witness testimony to put cybercriminals behind bars, and drafting the CryptoCurrency Security Standard (CCSS). Michael has served on the boards of the Bitcoin Alliance of Canada and The Bitcoin Foundation, and was the Chief Information Security Officer of ShapeShift for five years before helping them decentralize into a DAO in 2021. Michael currently spends his time contributing to various decentralized projects as a security advisor and angel investor.