CCC Machine Learning Development Environment
Machine Learning Development Environment refers to the suite of tools, infrastructure, and processes that facilitate the development, testing, deployment, and maintenance of machine learning models.
Release Details
Version:
DEV
Assurance Level:
Release Manager:
DB
Development Build
Contributors
DT
Development Team
Change Log
- Development build - no formal changelog available
Capabilities
| ID | Title | Description | Threat Mappings |
|---|---|---|---|
| CCC.MLDE.F01 | Managed Notebook Environments | Provides fully managed notebook instances specifically designed for machine learning development, eliminating the need to manage underlying infrastructure. | 0 |
| CCC.MLDE.F02 | Pre-configured Machine Learning Libraries | Offers environments pre-installed with popular machine learning libraries and frameworks such as TensorFlow, PyTorch, and Scikit-learn, optimized for ML tasks. | 0 |
| CCC.MLDE.F03 | Integrated Experiment Management | Facilitates tracking and management of machine learning experiments, including parameters, metrics, and artifacts, within the development environment. | 0 |
| CCC.MLDE.F04 | Model Training and Deployment Integration | Supports seamless transition from model development to training and deployment, allowing models to be trained and deployed directly from the MLDE. | 0 |
| CCC.MLDE.F05 | Automated Machine Learning (AutoML) Capabilities | Offers AutoML functionalities to automatically build, train, and optimize machine learning models with minimal manual intervention. | 0 |
| CCC.MLDE.F06 | GPU/Specialized Hardware Support | Provides access to GPU instances and specialized ML acceleration hardware (TPUs, FPGAs) with automated driver and runtime management. | 0 |
| CCC.MLDE.F07 | Data Pipeline Integration | Supports integration with data preparation and feature engineering pipelines, including versioning of datasets and capabilities used in ML experiments. | 0 |
| CCC.MLDE.F08 | Model Registry | Provides centralized storage and versioning for trained models, including metadata about training runs, model artifacts, and deployment history. | 0 |
| CCC.MLDE.F09 | Collaborative Development Support | Enables multiple data scientists to work on the same project with version control integration, shared notebooks, and resource management. | 0 |
| CCC.MLDE.F10 | Model Monitoring and Drift Detection | Supports monitoring of deployed models for performance degradation, data drift, and concept drift with automated alerting capabilities. | 0 |
| CCC.MLDE.F11 | Reproducibility Capabilities | Provides capability to capture and version all components needed to reproduce an ML experiment, including code, data, and environment configurations. | 0 |
| CCC.MLDE.F12 | Resource Scheduling and Optimization | Supports scheduling and optimization of compute resources for training jobs, including spot instance usage and auto-scaling capabilities. | 0 |
| CCC.MLDE.F13 | Security and Compliance Controls | Provides specific controls for ML workflows including model governance, bias detection, and compliance documentation for regulated industries. | 0 |
| CCC.Core.F03 | Access Log Publication | The service automatically publishes structured, verbose records of activities performed within the scope of the service by external actors. | 0 |
| CCC.Core.F06 | Access Control | The service automatically enforces user configurations to restrict or allow access to a specific component or a child resource based on factors such as user identities, roles, groups, or attributes. | 0 |
| CCC.Core.F08 | Data Replication | The service automatically replicates data across multiple deployments simultaneously with parity, or may be configured to do so. | 0 |
| CCC.Core.F09 | Metrics Publication | The service automatically publishes structured, numeric, time-series data points related to the performance, availability, and health of the service or its child resources. | 0 |
| CCC.Core.F10 | Log Publication | The service automatically publishes structured, verbose records of activities, operations, or events that occur within the service. | 0 |
| CCC.Core.F14 | API Access | The service exposes a port enabling external actors to interact programmatically with the service and its resources using HTTP protocol methods such as GET, POST, PUT, and DELETE. | 0 |
| CCC.Core.F15 | Cost Management | The service monitors data published by child or networked resources to infer usage patterns and generate cost reports for the service. | 0 |
| CCC.Core.F16 | Budgeting | The service may be configured to take a user-specified action when a spending threshold is met or exceeded on a child or networked resource. | 0 |
| CCC.Core.F17 | Alerting | The service may be configured to emit a notification based on a user-defined condition related to the data published by a child or networked resource. | 0 |
| CCC.Core.F20 | Resource Tagging | The service provides users with the ability to tag a child resource with metadata that can be reviewed or queried. | 0 |
| CCC.Core.F23 | Network Access Rules | The service restricts access to child or networked resources based on user-defined network parameters such as IP address, protocol, port, or source. | 0 |
Controls
| ID | Title | Objective | Control Family | Threat Mappings | Guideline Mappings | Assessment Requirements |
|---|---|---|---|---|---|---|
| CCC.MLDE.C01 | Define Access Mode for ML Development Environments | Ensure that access to Machine Learning Development Environment (MLDE) resources is strictly defined and controlled. Only authorized users with appropriate permissions can access these environments, mitigating the risk of unauthorized access, data leakage, or service disruption. | Identity and Access Management | 2 | 7 | 1 |
| CCC.MLDE.C03 | Disable Root Access on MLDE Instances | Prevent users from obtaining root access on MLDE instances to reduce the risk of unauthorized system modifications and potential security breaches. | Identity and Access Management | 1 | 5 | 2 |
| CCC.MLDE.C04 | Disable Terminal Access on MLDE Instances | Prevent users from accessing the terminal on MLDE instances to limit the risk of unauthorized commands and potential system compromise. | Identity and Access Management | 1 | 4 | 2 |
| CCC.Core.C03 | Implement Multi-factor Authentication (MFA) for Access | Ensure that all sensitive activities require two or more identity factors during authentication to prevent unauthorized access. | Identity and Access Management | 1 | 6 | 4 |
| CCC.Core.C05 | Prevent Access from Untrusted Entities | Ensure that secure access controls enforce the principle of least privilege to restrict access to authorized entities from explicitly trusted sources only. | Identity and Access Management | 1 | 8 | 6 |
| CCC.MLDE.C02 | Disable File Downloads on MLDE Instances | Prevent unauthorized file downloads from MLDE instances to protect sensitive data from being exfiltrated. | Data Protection | 2 | 6 | 2 |
| CCC.MLDE.C05 | Restrict Environment Options on MLDE Instances | Limit the virtual machine and container image options available when creating new MLDE instances to approved and secure configurations. | Configuration Management | 1 | 4 | 2 |
| CCC.MLDE.C06 | Require Automatic Scheduled Upgrades on User-Managed MLDE Instances | Ensure that MLDE instances are kept up-to-date with the latest security patches by enforcing automatic scheduled upgrades. | Vulnerability Management | 2 | 5 | 2 |
| CCC.MLDE.C07 | Restrict Public IP Access on MLDE Instances | Prevent public IP access to MLDE instances to reduce exposure to the internet and enhance security. | Network Security | 2 | 4 | 2 |
| CCC.MLDE.C08 | Restrict Virtual Networks for MLDE Instances | Limit the virtual networks that can be used when creating new MLDE instances to ensure they are deployed within approved and secure network environments. | Network Security | 2 | 4 | 2 |
| CCC.Core.C01 | Encrypt Data for Transmission | Ensure that all communications are encrypted in transit to protect data integrity and confidentiality. | Data | 1 | 8 | 5 |
| CCC.Core.C02 | Encrypt Data for Storage | Ensure that all data stored is encrypted at rest using strong encryption algorithms. | Data | 1 | 7 | 1 |
| CCC.Core.C06 | Restrict Deployments to Trust Perimeter | Ensure that the service and its child resources are only deployed on infrastructure in locations that are explicitly included within a defined trust perimeter. | Data | 1 | 4 | 2 |
| CCC.Core.C04 | Log All Access and Changes | Ensure that all access attempts are logged to maintain a detailed audit trail for security and compliance purposes. | Logging & Monitoring | 1 | 5 | 3 |