What is the CryptoCurrency Security Standard?

The CryptoCurrency Security Standard is an open, free standard (created by industry experts) for securing cryptocurrency systems.

CCSS audited systems will either be identified as Self Custody, Qualified Service Provider (QSP) or a Full System (FS). You can read more about these designations in this blog post.

Any entity whose systems have been audited and certified will be listed on our website and can be seen at https://cryptoconsortium.org/completed-ccss-audits/. Don’t trust, verify. Any entity who claims to be certified but is not listed on our website does not, in fact, have a current, valid, CCSS certification. Certifications are point in time and are valid for one year from the certification date.

Fireblocks Limited has the first system ever to be CCSS certified!

Fireblocks Limited is the first company with a system to ever receive a CryptoCurrency Security Standard (CCSS) Certificate of Compliance, after having been audited by a third-party CCSS Auditor. Fireblock’s system, comprised of Fireblocks Hot and Cold Vaults, Fireblocks Secure Transfer, and Fireblocks Authorization Workflow, received a Level 3 Qualified Service Provider (QSP) Rating. Completion of this audit confirms that, at the point in time of the audit, the processes that Fireblocks’ system uses to create, store, and manage keys is secure and that they’ve maintained processes and practices that met the required levels of oversight, security, and monitoring in order to protect their system.

It is important to note, however, this does not verify that another system which uses Fireblocks is CCSS certified at any level. Any third party who uses Fireblocks’ system must be audited for compliance in the areas where Fireblocks does not have control and certified (or not) in an audit for their cryptocurrency system.

Disclaimer

The information presented in this article is for educational and informational purposes only. It does not constitute financial advice, investment recommendations, or any form of endorsement.

The views and opinions expressed by individuals in this article are solely those of the speakers and do not necessarily represent those of C4 or any other organizations with which they are affiliated.

The mention or inclusion of any individuals, companies, or specific cryptocurrency projects in this video should not be considered as an endorsement or promotion.

Regulations and legal frameworks around cryptocurrencies may vary in different jurisdictions. It is your responsibility to comply with the applicable laws and regulations of your country or region.

C4’s CryptoCurrency Security Standard (CCSS) is the only standard that certifies for securing cryptocurrency systems.

CCSS is a set of requirements for all information systems that make use of cryptocurrencies, including exchanges, web applications, and cryptocurrency storage solutions. By standardizing the techniques and methodologies used by systems around the globe, CCSS ensures a balance between security and usability so that end-users can easily make educated decisions about which companies and products they wish to align.

CCSS audited systems are identified as Self Custody, Qualified Service Provider (QSP,) or Full System (FS).

Self Custody

A CCSS Self Custody system controls all keys to the system that controls the entity’s own funds. Self Custody systems do not have control over customer funds.

If an entity is using a service provider as part of their cryptocurrency system, it could impact the security of systems that provide cryptocurrency functions, therefore the entity will need to be certified for a Full System certification instead of the Self Custody certification.

As an example, if a system uses a third-party wallet provider in which the third-party participates in the key management, the system would no longer be Self Custody.

Qualified Service Provider

A CCSS Qualified Service Provider (QSP) is a system that meets many of the requirements for CCSS certification with the exception of the few requirements that another system has control over. A QSP is a system that facilitates a subset of custody services to other systems and therefore is only required to meet certain requirements. This means that if a system uses a QSP, the audit focus is only on the few remaining requirements to become certified.

An example of a QSP is a system that participates in signing a customer’s transaction by being in control of one or more of the signing keys used to sign said transaction. The customer controls the other key/s.

When customers are responsible for the other keys, the assessed entity’s system has no ability to control how they are secured at rest or when they are being used since they are within the customer’s environment. Because of this, the assessed entity’s system cannot meet the requirements for controlling the signing keys in totality since some of the signing keys are outside of their control.

Full System

A CCSS Full System is a system that meets all applicable CCSS requirements in totality.

A system that provides evidence to the CCSSA that it controls all signing keys will be audited as a CCSS Full System. Full Systems have control over customer funds.

Conclusion

If a system doesn’t meet all the requirements, then that system is either a QSP or uncertified. If a system has control of only some keys and does not meet all the requirements then it’s not a full system (and can’t be certified as a Full System), it’s a QSP. If a system controls all keys and does not meet all the requirements, it’s uncertified. If a system controls all keys to the system that controls the entity’s own funds it is Self Custody.

Don’t trust. Verify.

*Key management is a complex concept in which there are many nuances. This article provides general guidelines, however, each assessed system will require individual scrutiny by a CCSSA.

More articles about the CCSS, written by CCSSA Marc Krisjanous, can be found here: https://www.linkedin.com/in/marckrisjanous/recent-activity/posts/