What It Is

Clean Air Act (CAA), codified at 42 U.S.C. §7401 et seq., is a comprehensive U.S. federal statute regulating air emissions from stationary and mobile sources. It establishes national ambient air quality standards (NAAQS) and technology-based emission limits through a cooperative federalism model where EPA sets floors and states implement via SIPs.

Key Components

• NAAQS for six criteria pollutants (ozone, PM, CO, Pb, SO2, NO2) with primary/secondary standards.
• SIPs, NSPS, MACT/NESHAPs, Title V permits, and enforcement tools.
• Built on ambient outcomes, source controls, and accountability pillars; no fixed control count but layered requirements.
• Compliance via permits, monitoring, and federal oversight.

Why Organizations Use It

Mandated for emitters; drives compliance to avoid penalties, sanctions, FIPs. Reduces health/environmental risks, enables permitting, supports ESG via emission reductions. Builds stakeholder trust through transparent reporting.

Implementation Overview

Phased: gap analysis, permitting, controls installation, monitoring setup. Applies to major sources/industries nationwide; requires CEMS/testing, SIP adherence. No certification but EPA/state audits enforce.

What It Is

ISO/IEC 27017:2015 is an international code of practice extending ISO/IEC 27002 for information security controls in cloud services. It provides cloud-specific guidance within an ISO 27001 ISMS, focusing on shared responsibilities, multi-tenancy, and virtualization risks using a risk-based approach.

Key Components

• Guidance on 37 ISO 27002 controls adapted for cloud.
• 7 additional cloud-specific CLD controls (e.g., segregation, VM hardening, asset removal).
• Built on ISO 27001 ISMS framework.
• Assessed via ISO 27001 audits with 27017 extension; no standalone certification.

Why Organizations Use It

• Addresses cloud gaps in generic standards.
• Meets procurement demands and regulatory alignment (e.g., GDPR).
• Enhances risk management and customer trust.
• Differentiates CSPs/CSCs competitively.

Implementation Overview

• Integrate into existing ISO 27001 via risk assessment and control mapping.
• Key activities: shared responsibility matrices, configuration hardening, monitoring setup.
• Applies to CSPs/CSCs of all sizes/industries using cloud.
• Requires auditor inclusion in ISO 27001 certification (9-12 months for joint audits).