FINOS Common Cloud Controls

FINOS Common Cloud Controls (CCC) is an open catalog of machine-readable security controls covering the major cloud service providers. Maintained under FINOS governance, it defines controls at a level of specificity that tools can act on directly — not "implement encryption at rest" as a sentence in a policy document, but a structured definition that specifies what encryption at rest means, how it should be verified, and what evidence of compliance looks like. Every control in the catalog maps to Gemara Layer 2, making it interoperable with any other tool or standard built on the Gemara model.

CCC was designed specifically for regulated industries — financial services in particular — where cloud adoption has been slowed by the absence of clear, auditable compliance definitions for cloud-native infrastructure. The catalog provides those definitions in a form that both compliance teams and engineering tools can work with directly.

The compliance gap in cloud environments is not primarily a technical problem — it is a definitional one. Most existing compliance frameworks were written before cloud infrastructure existed in its current form. When a regulation says "ensure data is protected in transit," it does not say what that means for an object storage bucket on a hyperscaler, a serverless function, or a managed Kubernetes cluster. Compliance teams interpret these requirements one way; engineers implement them another; auditors assess them a third. The catalog closes that gap by providing agreed, machine-readable definitions that all three groups can work from.

For organisations on multiple cloud providers — or evaluating a move between them — CCC is particularly valuable. Because the controls are defined abstractly against the capability rather than a specific vendor's implementation, the same policy applies across AWS, Azure, and GCP without being rewritten for each. That consistency is what makes multi-cloud compliance tractable rather than a separate programme per provider.

Meridian's team holds seats on the FINOS CCC Steering Committee — the body that governs the catalog's development and direction. We actively contribute control definitions, review proposed changes, and help maintain the mapping between CCC controls and the Gemara taxonomy. Our involvement is practical: Meridian deploys into the same kinds of regulated organisations that CCC was built for, and the quality of the catalog directly affects the quality of what Meridian Chancery can do out of the box.

The CCC Steering Committee includes engineers from Citibank, Morgan Stanley, RBC, Red Hat, and CVS Health — organisations that use the catalog in production. That governance structure is one of the reasons we trust it enough to ship it as Meridian Chancery's default control set. It is not maintained by Meridian alone; it is maintained by the institutions it serves.

Meridian Chancery ships pre-seeded with the FINOS CCC catalog. When a new Meridian deployment is provisioned, the relevant CCC controls for the organisation's cloud environment are already present and mapped to their applicable regulatory frameworks. Policy authors do not start from a blank canvas — they start from a battle-tested baseline and adjust it to their specific context.

The CCC connection also means that when the catalog is updated — as cloud providers release new services, or as the steering committee refines existing controls — those updates flow into Meridian Chancery through a governed process rather than a manual content exercise. Organisations running Meridian stay current with the evolving definition of cloud compliance without having to maintain that definition themselves.