What Is CDMC? A Practical Guide to the Cloud Data Management Capabilities Framework

Cloud environments changed data management. Data now moves across regions, identities are federated, storage and compute scale independently, and access decisions increasingly depend on APIs, policies and metadata that have to be evaluated continuously rather than checked after the fact.

The Cloud Data Management Capabilities (CDMC) framework helps organizations assess and improve how they manage and control data in cloud, multi-cloud and hybrid-cloud environments.

CDMC is a best-practice assessment and certification framework. The framework was developed by the CDMC Working Group with participation from more than 300 people across more than 100 organizations, and the first CDMC controls were published in 2021. The framework is made available by the EDM Council under a free license for internal use.

CDMC is different from frameworks such as DAMA-DMBOK or DCAM. DAMA-DMBOK is a body of knowledge for data management as a discipline, while DCAM assesses broader enterprise data management capabilities. CDMC assumes these foundations matter, but narrows the lens to the controls needed to govern sensitive data in cloud environments — where automation, policy enforcement and continuous evidence collection are part of the design rather than an optional layer added later.

At its core, CDMC is organized around 14 key controls and automations that sit inside six areas:

The 14 controls are easier to work with when they are viewed through the six operational areas they collectively support:

1. Governance & Accountability covers the foundational control plane: data control compliance; ownership; authoritative data sources and provisioning points; and data sovereignty and cross-border movement. A team should be able to show who owns a sensitive asset, where it originated, how compliance is monitored and whether jurisdictional movement is governed and auditable.
2. Cataloging & Classification covers whether sensitive data is cataloged and classified automatically at creation or ingestion, and whether that process stays consistent across environments. This is one of the clearest examples of CDMC’s cloud orientation, because the framework assumes the catalog is a live control surface rather than a static inventory.
3. Accessibility & Usage covers entitlements, access defaults and data consumption purpose. Sensitive data access should default to the creator and owner, access should be tracked, and the purpose of data consumption should be provided for data-sharing agreements involving sensitive data.
4. Protection & Privacy covers appropriate security controls for sensitive data and the automatic triggering of data protection impact assessments for personal data according to jurisdiction. This is where CDMC most clearly ties governance requirements to privacy operations and evidence.
5. Data Lifecycle covers retention, archiving, purging and data quality measurement. The EDM Council diagram places data quality measurement here rather than in a separate top-level quality domain, which is a useful signal that quality is treated as part of ongoing lifecycle control — not only as an analytics concern.
6. Data & Technical Architecture covers cost metrics and lineage. CDMC expects organizations to make cost metrics associated with data use, storage and movement available in the catalog, and to make lineage information available for sensitive data.

EDM Council’s CDMC benchmark materials use an evidence-based scoring model and describe maturity through assessment outputs tied to process, engagement and evidence. In practice, organizations use the results to produce a control-by-control maturity view and a remediation heatmap that shows where automation, metadata, policy coverage or monitoring still need work

Here’s a practical way to think about what measured maturity looks like across the six areas:

While CDMC is vendor-neutral and implementation varies by organization, Snowflake provides capabilities that can support many aspects of these controls.

Snowflake Horizon Catalog brings together metadata, lineage and policy context, while Snowflake’s sensitive data classification applies system-defined tags to columns identified as sensitive. Horizon can help apply retention and access policies across environments, supporting CDMC expectations that cataloging and classification should operate as an active control layer.

Snowflake enables dynamic data masking and row access policies. The Dynamic Data Masking feature uses masking policies to selectively mask plain-text data in table and view columns at query time, while row access policies control which rows are visible in a table or view. Together, these controls can be used to support CDMC requirements related to security controls and privacy-sensitive access management.

Snowflake provides Time Travel of up to 90 days and Fail-safe within a seven-day period after the Time Travel retention window ends. These features provide built-in capabilities that can support retention and recovery control requirements within the platform.

For the data quality measurement control inside Data Lifecycle, Snowflake’s data quality monitoring and data metric functions provide built-in and custom ways to measure common data quality attributes. System data metric functions can be assigned to tables or views and used for governance and compliance needs, which makes them a practical fit for CDMC Control 11.

Snowflake’s access model centers on role-based access control (RBAC), ownership and privileges, with related policy controls layered on top. This supports the entitlement and access side of the framework, while tags and metadata help connect access decisions to sensitivity and usage context.

Horizon Catalog’s metadata and lineage model helps turn CDMC from a set of control statements into something an organization can actually evaluate. The framework assumes teams can identify a sensitive asset, attach governance context to it and follow it through the systems, transformations and downstream objects that depend on it. Metadata surfaces context — ownership, classification, tags and related controls — while lineage shows how the data moves and where those controls may need to persist.

Snowflake helps establish the control context that CDMC depends on. The framework is not only asking whether sensitive data is classified or protected, but whether an organization can show who owns it, which source is authoritative, how compliance is monitored and whether movement across environments or jurisdictions can be reviewed against policy.

Snowflake provides capabilities that can help organizations implement, operationalize and monitor compliance-related processes through shared metadata, ownership fields, tags, policy application and activity visibility. This makes governance something data stewards and control owners can actually inspect.

Here’s a simple map of capabilities and features:

What distinguishes CDMC is not that it assumes that cloud data management needs controls that can be automated, evidenced and reassessed continuously — because that’s how modern platforms actually operate. The value of the framework is not only in naming the controls, but in forcing teams to ask questions such as where catalog metadata is populated, how access is enforced, whether quality checks run without manual intervention, and what evidence exists when an auditor or regulator asks for proof.