Skip to content

Releases: securecontrolsframework/securecontrolsframework

SCF 2025.2.2

22 Jul 23:34
@securecontrolsframework securecontrolsframework
2025.2.2
9c97664
Compare
Choose a tag to compare
SCF 2025.2.2 Latest
Latest

Version 2025.2.2 is a minor update that is released to announce the new SCF Cybersecurity Oversight, Resilience and Enablement (CORE) baselines:

  • SCF CORE Fundamentals
  • SCF CORE MA&D (Mergers, Acquisitions & Divestitures)

There are also a few minor updates to existing controls in the 2025.2.2 release:

Corrects the addition of New Zealand HISF 2022 mapping:

  • TPM-01
  • TPM-04.1
  • TPM-05
  • TPM-08

CMMC 2.0 Level 2 (updated mappings to correspond to NIST 800-171 R2 STRM)

  • CLD-06
  • CLD-10
  • CFG-02.1
  • IAC-15.1
  • NET-02.2
  • PES-06.1
  • WEB-02
  • WEB-04

Renamed Control

  • HRS-06.2
  • HRS-09.3

Wordsmithed Control

  • HRS-06.2
  • HRS-09.3
  • IAC-01.3
  • NET-06

Removes mapping for:

  • UK GDPR (redundant with STRM for EU GDPR mapping)

Version 2025.2.1 corrects a few items in the AAT domain due to a correction in the Set Theory Relationship Mapping (STRM) for NIST AI 600-1 and the EU AI Act:

EI AI Act changes:

  • AAT-22
  • AAT-22.3
  • AAT-22.4

NIST AI 600-1 changes:

  • AAT-06
  • AAT-10
  • AAT-24
  • AAT-26
  • AAT-26.1
  • TDA-22

Version 2025.2 represents a major update, based on number of new and changed controls in the Secure Controls Framework (SCF). There are seventy-nine (79) new controls in SCF 2025.2 and the majority of the new controls are focused on the governance of Artificial Intelligence (AI).

You can download the new version of the SCF and errata from:
 SCF https://securecontrolsframework.com/scf-download/
 Errata https://securecontrolsframework.com/errata/

Added / Updated Set Theory Relationship Mappings (STRM) for:
 EU Artificial Intelligence (AI)I Act (Regulation (EU) 2024/1689)
 EU Cyber Resilience Act
 EU Cyber Resilience Act - Annexes
 ENISA NIS2 Annex
 Farm Credit Administration (FCA) Cyber Risk Management
 NAIC Insurance Data Security Model Law 668
 NERC CIP (2024)
 NIST AI 100-1 (AI Risk Management Framework)
 NIST AI 600-1 (NIST Trustworthy and Responsible AI)
 NIST SP 800-171 R3
 NIST SP 800-171A R3
 NIST SP 800-218 v1.1
 NZ Health Information Security Framework (2022)
 HISO 10029:2024 NZ Health Information Security Framework Guidance for Suppliers

Removed SCF mappings to:
 South Carolina Insurance Data Security Act (directly maps to NAIC Insurance Data Security Model Law 668)

New controls:
 GOV-01.3 - Commitment To Continual Improvements
 GOV-18 - Quality Management System (QMS)
 AAT-02.3 - Adequate Protections For AI & Autonomous Technologies
 AAT-09.1 - AI & Autonomous Technologies High Risk Designations
 AAT-10.15 - AI TEVV Reporting
 AAT-10.16 - AI TEVV Empirically Validated Methods
 AAT-10.17 - AI TEVV Benchmarking Content Provenance
 AAT-10.18 - AI TEVV Model Collapse Mitigations
 AAT-12.3 - Data Source Lineage & Origin Disclosure
 AAT-12.4 - Digital Content Modification Logging
 AAT-16.8 - AI & Autonomous Technologies Event Logging
 AAT-16.9 - Serious Incident Reporting For AI & Autonomous Technologies
 AAT-16.10 - Serious Incident Root Cause Analysis (RCA) For AI & Autonomous Technologies
 AAT-17.4 - Novel Risk Assessment Methods & Technologies
 AAT-17.5 - Fine Tuning Risk Mitigation
 AAT-19 - AI & Autonomous Technologies Conformity
 AAT-19.1 - Manipulative or Deceptive Techniques
 AAT-19.2 - Materially Distorting Behaviors
 AAT-19.3 - Social Scoring
 AAT-19.4 - Detrimental or Unfavorable Treatment
 AAT-19.5 - Risk and Criminal Profiling
 AAT-19.6 - Populating Facial Recognition Databases
 AAT-19.7 - Emotion Inference
 AAT-19.8 - Biometric Categorization
 AAT-20 - AI & Autonomous Technologies Development Practices
 AAT-20.1 - AI & Autonomous Technologies Transparency
 AAT-20.2 - AI & Autonomous Technologies Implementation Documentation
 AAT-20.3 - AI & Autonomous Technologies Human Domain Knowledge Reliance
 AAT-21 - AI & Autonomous Technologies Registration
 AAT-22 - AI & Autonomous Technologies Deployment
 AAT-22.1 - AI & Autonomous Technologies Human Oversight
 AAT-22.2 - AI & Autonomous Technologies Oversight Measures
 AAT-22.3 - AI & Autonomous Technologies Separate Verification
 AAT-22.4 - AI & Autonomous Technologies Oversight Functions Competency
 AAT-22.5 - AI & Autonomous Technologies Data Relevance
 AAT-22.6 - AI & Autonomous Technologies Irregularity Reporting
 AAT-22.7 - AI & Autonomous Technologies Use Notification To Employees
 AAT-22.8 - AI & Autonomous Technologies Use Notification To Users
 AAT-23 - AI & Autonomous Technologies Output Marking
 AAT-24 - Real World Testing of AI & Autonomous Technologies
 AAT-25 - AI & Autonomous Technologies System Value Chain
 AAT-25.1 - AI & Autonomous Technologies System Value Chain Fallbacks
 AAT-26 - AI & Autonomous Technologies Testing Techniques
 AAT-26.1 - Generative Artificial Intelligence (GAI) Identification
 AAT-26.2 - AI & Autonomous Technologies Capabilities Testing
 AAT-26.3 - Real-World Testing
 AAT-26.4 - Documenting Testing Guidance
 AAT-27 - AI & Autonomous Technologies Output Filtering
 AAT-27.1 - Human Moderation
 AST-31.2 - High-Risk Asset Categorization
 BCD-06.1 - Contingency Planning Components
 BCD-06.2 - Contingency Plan Update Notifications
 CHG-07 - Emergency Changes
 CHG-07.1 - Documenting Emergency Changes
 CPL-01.4 - Conformity Assessment
 CPL-01.5 - Declaration of Conformity
 CPL-02.3 - Corrective Action
 CPL-03.3 - Assessor Access
 CPL-08 - Localized Representation
 CPL-08.1 - Representative Powers
 MON-02.9 - Inventory of Technology Asset Event Logging
 HRS-07.2 - Updating Disciplinary Processes
 IAC-10.13 - Events Requiring Authenticator Change
 IRO-09.2 - Recurring Incident Analysis
 IRO-10.5 - Serious Incident Reporting
 RSK-04.2 - Risk Assessment Methodology
 SAT-01.1 - Maintaining Workforce Development Relevancy
 TDA-02.8 - Minimizing Attack Surfaces
 TDA-02.9 - Ongoing Product Security Support
 TDA-02.10 - Product Testing & Reviews
 TDA-02.11 - Disclosure of Vulnerabilities
 TDA-02.12 - Products With Digital Elements
 TDA-02.13 - Reporting Exploitable Vulnerabilities
 TDA-21 - Product Conformity Governance
 TDA-22 - Technical Documentation Artifacts
 TDA-22.1 - Product-Specific Risk Assessment Artifacts
 VPM-04.3 - Deferred Patching Decisions
 VPM-05.8 - Software Patch Integrity

Renamed controls:
 AAT-07.1 - AI & Autonomous Technologies Impact Assessment
 HRS-05.3 - Technology Use Restrictions
 IRO-12 - Sensitive / Regulated Data Spill Response
 IRO-12.1 - Sensitive / Regulated Data Spill Responsible Personnel
 IRO-12.2 - Sensitive / Regulated Data Spill Training
 IRO-12.3 - Post-Sensitive / Regulated Data Spill Operations
 IRO-12.4 - Sensitive / Regulated Data Exposure to Unauthorized Personnel
 TDA-06 - Secure Software Development Practices (SSDP)
 TPM-03 - Supply Chain Risk Management (SCRM)

Wordsmithed controls:
 GOV-03 - Periodic Review & Update of Cybersecurity & Data Protection Program
 AAT-07.1 - AI & Autonomous Technologies Impact Assessment
 AAT-08 - Assigned Responsibilities for AI & Autonomous Technologies
 AAT-09 - AI & Autonomous Technologies Risk Profiling
 AAT-10 - Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV)
 AAT-10.3 - AI TEVV Trustworthiness Demonstration
 AAT-16.7 - Pre-Trained AI & Autonomous Technologies Models
 BCD-06 - Ongoing Contingency Planning
 CPL-03 - Cybersecurity & Data Protection Assessments
 HRS-04.2 - Formal Indoctrination
 HRS-05.3 - Technology Use Restrictions
 HRS-15 - Reporting Suspicious Activities
 IAC-10 - Authenticator Management
 IRO-12 - Sensitive / Regulated Data Spill Response
 IRO-12.1 - Sensitive / Regulated Data Spill Responsible Personnel
 IRO-12.2 - Sensitive / Regulated Data Spill Training
 IRO-12.3 - Post-Sensitive / Regulated Data Spill Operations
 IRO-12.4 - Sensitive / Regulated Data Exposure to Unauthorized Personnel
 TDA-01.1 - Product Management
 TDA-02 - Minimum Viable Product (MVP) Security Requirements
 TDA-06 - Secure Software Development Practices (SSDP)
 TPM-03 - Supply Chain Risk Management (SCRM)

Updating mappings:
 Canada ITSP-10-171
o HRS-04
o HRS-05.1
o IAC-02
o IAC-25
 CISA SSDAF
o AST-03.2
o TDA-04.2
 NIST 800-171 R3
o HRS-04
o HRS-05.1
o IAC-02
o IAC-25
 NIST 800-171A R3
o HRS-04
o IAC-02
o TDA-02.3

Assets 4
Loading

SCF 2025.2.1

09 Jul 15:58
@securecontrolsframework securecontrolsframework
2025.2.1
64e843d
Compare
Choose a tag to compare
SCF 2025.2.1

Version 2025.2 represents a major update, based on number of new and changed controls in the Secure Controls Framework (SCF). There are seventy-nine (79) new controls in SCF 2025.2 and the majority of the new controls are focused on the governance of Artificial Intelligence (AI) and the majority of the new controls are focused on the governance of Artificial Intelligence (AI).

You can download the new version of the SCF and errata from:
 SCF https://securecontrolsframework.com/scf-download/
 Errata https://securecontrolsframework.com/errata/

Added / Updated Set Theory Relationship Mappings (STRM) for:
 EU Artificial Intelligence (AI)I Act (Regulation (EU) 2024/1689)
 EU Cyber Resilience Act
 EU Cyber Resilience Act - Annexes
 ENISA NIS2 Annex
 Farm Credit Administration (FCA) Cyber Risk Management
 NAIC Insurance Data Security Model Law 668
 NERC CIP (2024)
 NIST AI 100-1 (AI Risk Management Framework)
 NIST AI 600-1 (NIST Trustworthy and Responsible AI)
 NIST SP 800-171 R3
 NIST SP 800-171A R3
 NIST SP 800-218 v1.1
 NZ Health Information Security Framework (2022)
 HISO 10029:2024 NZ Health Information Security Framework Guidance for Suppliers

Removed SCF mappings to:
 South Carolina Insurance Data Security Act (directly maps to NAIC Insurance Data Security Model Law 668)

New controls:
 GOV-01.3 - Commitment To Continual Improvements
 GOV-18 - Quality Management System (QMS)
 AAT-02.3 - Adequate Protections For AI & Autonomous Technologies
 AAT-09.1 - AI & Autonomous Technologies High Risk Designations
 AAT-10.15 - AI TEVV Reporting
 AAT-10.16 - AI TEVV Empirically Validated Methods
 AAT-10.17 - AI TEVV Benchmarking Content Provenance
 AAT-10.18 - AI TEVV Model Collapse Mitigations
 AAT-12.3 - Data Source Lineage & Origin Disclosure
 AAT-12.4 - Digital Content Modification Logging
 AAT-16.8 - AI & Autonomous Technologies Event Logging
 AAT-16.9 - Serious Incident Reporting For AI & Autonomous Technologies
 AAT-16.10 - Serious Incident Root Cause Analysis (RCA) For AI & Autonomous Technologies
 AAT-17.4 - Novel Risk Assessment Methods & Technologies
 AAT-17.5 - Fine Tuning Risk Mitigation
 AAT-19 - AI & Autonomous Technologies Conformity
 AAT-19.1 - Manipulative or Deceptive Techniques
 AAT-19.2 - Materially Distorting Behaviors
 AAT-19.3 - Social Scoring
 AAT-19.4 - Detrimental or Unfavorable Treatment
 AAT-19.5 - Risk and Criminal Profiling
 AAT-19.6 - Populating Facial Recognition Databases
 AAT-19.7 - Emotion Inference
 AAT-19.8 - Biometric Categorization
 AAT-20 - AI & Autonomous Technologies Development Practices
 AAT-20.1 - AI & Autonomous Technologies Transparency
 AAT-20.2 - AI & Autonomous Technologies Implementation Documentation
 AAT-20.3 - AI & Autonomous Technologies Human Domain Knowledge Reliance
 AAT-21 - AI & Autonomous Technologies Registration
 AAT-22 - AI & Autonomous Technologies Deployment
 AAT-22.1 - AI & Autonomous Technologies Human Oversight
 AAT-22.2 - AI & Autonomous Technologies Oversight Measures
 AAT-22.3 - AI & Autonomous Technologies Separate Verification
 AAT-22.4 - AI & Autonomous Technologies Oversight Functions Competency
 AAT-22.5 - AI & Autonomous Technologies Data Relevance
 AAT-22.6 - AI & Autonomous Technologies Irregularity Reporting
 AAT-22.7 - AI & Autonomous Technologies Use Notification To Employees
 AAT-22.8 - AI & Autonomous Technologies Use Notification To Users
 AAT-23 - AI & Autonomous Technologies Output Marking
 AAT-24 - Real World Testing of AI & Autonomous Technologies
 AAT-25 - AI & Autonomous Technologies System Value Chain
 AAT-25.1 - AI & Autonomous Technologies System Value Chain Fallbacks
 AAT-26 - AI & Autonomous Technologies Testing Techniques
 AAT-26.1 - Generative Artificial Intelligence (GAI) Identification
 AAT-26.2 - AI & Autonomous Technologies Capabilities Testing
 AAT-26.3 - Real-World Testing
 AAT-26.4 - Documenting Testing Guidance
 AAT-27 - AI & Autonomous Technologies Output Filtering
 AAT-27.1 - Human Moderation
 AST-31.2 - High-Risk Asset Categorization
 BCD-06.1 - Contingency Planning Components
 BCD-06.2 - Contingency Plan Update Notifications
 CHG-07 - Emergency Changes
 CHG-07.1 - Documenting Emergency Changes
 CPL-01.4 - Conformity Assessment
 CPL-01.5 - Declaration of Conformity
 CPL-02.3 - Corrective Action
 CPL-03.3 - Assessor Access
 CPL-08 - Localized Representation
 CPL-08.1 - Representative Powers
 MON-02.9 - Inventory of Technology Asset Event Logging
 HRS-07.2 - Updating Disciplinary Processes
 IAC-10.13 - Events Requiring Authenticator Change
 IRO-09.2 - Recurring Incident Analysis
 IRO-10.5 - Serious Incident Reporting
 RSK-04.2 - Risk Assessment Methodology
 SAT-01.1 - Maintaining Workforce Development Relevancy
 TDA-02.8 - Minimizing Attack Surfaces
 TDA-02.9 - Ongoing Product Security Support
 TDA-02.10 - Product Testing & Reviews
 TDA-02.11 - Disclosure of Vulnerabilities
 TDA-02.12 - Products With Digital Elements
 TDA-02.13 - Reporting Exploitable Vulnerabilities
 TDA-21 - Product Conformity Governance
 TDA-22 - Technical Documentation Artifacts
 TDA-22.1 - Product-Specific Risk Assessment Artifacts
 VPM-04.3 - Deferred Patching Decisions
 VPM-05.8 - Software Patch Integrity

Renamed controls:
 AAT-07.1 - AI & Autonomous Technologies Impact Assessment
 HRS-05.3 - Technology Use Restrictions
 IRO-12 - Sensitive / Regulated Data Spill Response
 IRO-12.1 - Sensitive / Regulated Data Spill Responsible Personnel
 IRO-12.2 - Sensitive / Regulated Data Spill Training
 IRO-12.3 - Post-Sensitive / Regulated Data Spill Operations
 IRO-12.4 - Sensitive / Regulated Data Exposure to Unauthorized Personnel
 TDA-06 - Secure Software Development Practices (SSDP)
 TPM-03 - Supply Chain Risk Management (SCRM)

Wordsmithed controls:
 GOV-03 - Periodic Review & Update of Cybersecurity & Data Protection Program
 AAT-07.1 - AI & Autonomous Technologies Impact Assessment
 AAT-08 - Assigned Responsibilities for AI & Autonomous Technologies
 AAT-09 - AI & Autonomous Technologies Risk Profiling
 AAT-10 - Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV)
 AAT-10.3 - AI TEVV Trustworthiness Demonstration
 AAT-16.7 - Pre-Trained AI & Autonomous Technologies Models
 BCD-06 - Ongoing Contingency Planning
 CPL-03 - Cybersecurity & Data Protection Assessments
 HRS-04.2 - Formal Indoctrination
 HRS-05.3 - Technology Use Restrictions
 HRS-15 - Reporting Suspicious Activities
 IAC-10 - Authenticator Management
 IRO-12 - Sensitive / Regulated Data Spill Response
 IRO-12.1 - Sensitive / Regulated Data Spill Responsible Personnel
 IRO-12.2 - Sensitive / Regulated Data Spill Training
 IRO-12.3 - Post-Sensitive / Regulated Data Spill Operations
 IRO-12.4 - Sensitive / Regulated Data Exposure to Unauthorized Personnel
 TDA-01.1 - Product Management
 TDA-02 - Minimum Viable Product (MVP) Security Requirements
 TDA-06 - Secure Software Development Practices (SSDP)
 TPM-03 - Supply Chain Risk Management (SCRM)

Updating mappings:
 Canada ITSP-10-171
o HRS-04
o HRS-05.1
o IAC-02
o IAC-25
 CISA SSDAF
o AST-03.2
o TDA-04.2
 NIST 800-171 R3
o HRS-04
o HRS-05.1
o IAC-02
o IAC-25
 NIST 800-171A R3
o HRS-04
o IAC-02
o TDA-02.3

Loading

SCF 2025.2

07 Jul 22:34
@securecontrolsframework securecontrolsframework
2025.2
ddde76e
Compare
Choose a tag to compare
SCF 2025.2

Version 2025.2 represents a major update, based on number of new and changed controls in the Secure Controls Framework (SCF). The majority of the new controls are focused on the governance of Artificial Intelligence (AI).

You can download the new version of the SCF and errata from:

Added / Updated Set Theory Relationship Mappings (STRM) for:

  • EU Artificial Intelligence (AI)I Act (Regulation (EU) 2024/1689)
  • EU Cyber Resilience Act
  • EU Cyber Resilience Act - Annexes
  • ENISA NIS2 Annex
  • Farm Credit Administration (FCA) Cyber Risk Management
  • NAIC Insurance Data Security Model Law 668
  • NERC CIP (2024)
  • NIST AI 100-1 (AI Risk Management Framework)
  • NIST AI 600-1 (NIST Trustworthy and Responsible AI)
  • NIST SP 800-171 R3
  • NIST SP 800-171A R3
  • NIST SP 800-218 v1.1
  • NZ Health Information Security Framework (2022)
  • HISO 10029:2024 NZ Health Information Security Framework Guidance for Suppliers

Removed SCF mappings to:

  • South Carolina Insurance Data Security Act (directly maps to NAIC Insurance Data Security Model Law 668)

New controls:

  • GOV-01.3 - Commitment To Continual Improvements
  • GOV-18 - Quality Management System (QMS)
  • AAT-02.3 - Adequate Protections For AI & Autonomous Technologies
  • AAT-09.1 - AI & Autonomous Technologies High Risk Designations
  • AAT-10.15 - AI TEVV Reporting
  • AAT-10.16 - AI TEVV Empirically Validated Methods
  • AAT-10.17 - AI TEVV Benchmarking Content Provenance
  • AAT-10.18 - AI TEVV Model Collapse Mitigations
  • AAT-12.3 - Data Source Lineage & Origin Disclosure
  • AAT-12.4 - Digital Content Modification Logging
  • AAT-16.8 - AI & Autonomous Technologies Event Logging
  • AAT-16.9 - Serious Incident Reporting For AI & Autonomous Technologies
  • AAT-16.10 - Serious Incident Root Cause Analysis (RCA) For AI & Autonomous Technologies
  • AAT-17.4 - Novel Risk Assessment Methods & Technologies
  • AAT-17.5 - Fine Tuning Risk Mitigation
  • AAT-19 - AI & Autonomous Technologies Conformity
  • AAT-19.1 - Manipulative or Deceptive Techniques
  • AAT-19.2 - Materially Distorting Behaviors
  • AAT-19.3 - Social Scoring
  • AAT-19.4 - Detrimental or Unfavorable Treatment
  • AAT-19.5 - Risk and Criminal Profiling
  • AAT-19.6 - Populating Facial Recognition Databases
  • AAT-19.7 - Emotion Inference
  • AAT-19.8 - Biometric Categorization
  • AAT-20 - AI & Autonomous Technologies Development Practices
  • AAT-20.1 - AI & Autonomous Technologies Transparency
  • AAT-20.2 - AI & Autonomous Technologies Implementation Documentation
  • AAT-20.3 - AI & Autonomous Technologies Human Domain Knowledge Reliance
  • AAT-21 - AI & Autonomous Technologies Registration
  • AAT-22 - AI & Autonomous Technologies Deployment
  • AAT-22.1 - AI & Autonomous Technologies Human Oversight
  • AAT-22.2 - AI & Autonomous Technologies Oversight Measures
  • AAT-22.3 - AI & Autonomous Technologies Separate Verification
  • AAT-22.4 - AI & Autonomous Technologies Oversight Functions Competency
  • AAT-22.5 - AI & Autonomous Technologies Data Relevance
  • AAT-22.6 - AI & Autonomous Technologies Irregularity Reporting
  • AAT-22.7 - AI & Autonomous Technologies Use Notification To Employees
  • AAT-22.8 - AI & Autonomous Technologies Use Notification To Users
  • AAT-23 - AI & Autonomous Technologies Output Marking
  • AAT-24 - Real World Testing of AI & Autonomous Technologies
  • AAT-25 - AI & Autonomous Technologies System Value Chain
  • AAT-25.1 - AI & Autonomous Technologies System Value Chain Fallbacks
  • AAT-26 - AI & Autonomous Technologies Testing Techniques
  • AAT-26.1 - Generative Artificial Intelligence (GAI) Identification
  • AAT-26.2 - AI & Autonomous Technologies Capabilities Testing
  • AAT-26.3 - Real-World Testing
  • AAT-26.4 - Documenting Testing Guidance
  • AAT-27 - AI & Autonomous Technologies Output Filtering
  • AAT-27.1 - Human Moderation
  • AST-31.2 - High-Risk Asset Categorization
  • BCD-06.1 - Contingency Planning Components
  • BCD-06.2 - Contingency Plan Update Notifications
  • CHG-07 - Emergency Changes
  • CHG-07.1 - Documenting Emergency Changes
  • CPL-01.4 - Conformity Assessment
  • CPL-01.5 - Declaration of Conformity
  • CPL-02.3 - Corrective Action
  • CPL-03.3 - Assessor Access
  • CPL-08 - Localized Representation
  • CPL-08.1 - Representative Powers
  • MON-02.9 - Inventory of Technology Asset Event Logging
  • HRS-07.2 - Updating Disciplinary Processes
  • IAC-10.13 - Events Requiring Authenticator Change
  • IRO-09.2 - Recurring Incident Analysis
  • IRO-10.5 - Serious Incident Reporting
  • RSK-04.2 - Risk Assessment Methodology
  • SAT-01.1 - Maintaining Workforce Development Relevancy
  • TDA-02.8 - Minimizing Attack Surfaces
  • TDA-02.9 - Ongoing Product Security Support
  • TDA-02.10 - Product Testing & Reviews
  • TDA-02.11 - Disclosure of Vulnerabilities
  • TDA-02.12 - Products With Digital Elements
  • TDA-02.13 - Reporting Exploitable Vulnerabilities
  • TDA-21 - Product Conformity Governance
  • TDA-22 - Technical Documentation Artifacts
  • TDA-22.1 - Product-Specific Risk Assessment Artifacts
  • VPM-04.3 - Deferred Patching Decisions
  • VPM-05.8 - Software Patch Integrity

Renamed controls:

  • AAT-07.1 - AI & Autonomous Technologies Impact Assessment
  • HRS-05.3 - Technology Use Restrictions
  • IRO-12 - Sensitive / Regulated Data Spill Response
  • IRO-12.1 - Sensitive / Regulated Data Spill Responsible Personnel
  • IRO-12.2 - Sensitive / Regulated Data Spill Training
  • IRO-12.3 - Post-Sensitive / Regulated Data Spill Operations
  • IRO-12.4 - Sensitive / Regulated Data Exposure to Unauthorized Personnel
  • TDA-06 - Secure Software Development Practices (SSDP)
  • TPM-03 - Supply Chain Risk Management (SCRM)

Wordsmithed controls:

  • GOV-03 - Periodic Review & Update of Cybersecurity & Data Protection Program
  • AAT-07.1 - AI & Autonomous Technologies Impact Assessment
  • AAT-08 - Assigned Responsibilities for AI & Autonomous Technologies
  • AAT-09 - AI & Autonomous Technologies Risk Profiling
  • AAT-10 - Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV)
  • AAT-10.3 - AI TEVV Trustworthiness Demonstration
  • AAT-16.7 - Pre-Trained AI & Autonomous Technologies Models
  • BCD-06 - Ongoing Contingency Planning
  • CPL-03 - Cybersecurity & Data Protection Assessments
  • HRS-04.2 - Formal Indoctrination
  • HRS-05.3 - Technology Use Restrictions
  • HRS-15 - Reporting Suspicious Activities
  • IAC-10 - Authenticator Management
  • IRO-12 - Sensitive / Regulated Data Spill Response
  • IRO-12.1 - Sensitive / Regulated Data Spill Responsible Personnel
  • IRO-12.2 - Sensitive / Regulated Data Spill Training
  • IRO-12.3 - Post-Sensitive / Regulated Data Spill Operations
  • IRO-12.4 - Sensitive / Regulated Data Exposure to Unauthorized Personnel
  • TDA-01.1 - Product Management
  • TDA-02 - Minimum Viable Product (MVP) Security Requirements
  • TDA-06 - Secure Software Development Practices (SSDP)
  • TPM-03 - Supply Chain Risk Management (SCRM)

Updating mappings:

  • Canada ITSP-10-171
  • o HRS-04
  • o HRS-05.1
  • o IAC-02
  • o IAC-25
  • CISA SSDAF
  • o AST-03.2
  • o TDA-04.2
  • NIST 800-171 R3
  • o HRS-04
  • o HRS-05.1
  • o IAC-02
  • o IAC-25
  • NIST 800-171A R3
  • o HRS-04
  • o IAC-02
  • o TDA-02.3
Loading

SCF 2025.1

30 Mar 18:51
@securecontrolsframework securecontrolsframework
2025.1
a9eb95b
Compare
Choose a tag to compare
SCF 2025.1

Version 2025.1 represents a minor update, based on new and changed controls in the Secure Controls Framework (SCF). You can download the new version of the SCF and errata from:

NOTE - Version 2025.1.1 added the missing column for the India Digital Personal Data Protection Act (DPDPA) from the main SCF spreadsheet.

Added Set Theory Relationship Mappings (STRM) for:

  1. UK Defence Standard (Def Stan) 05-138
  2. India Digital Personal Data Protection Act (DPDPA)
  3. Saudi Arabia IoT CGIoT-1
  4. Saudi Arabia Person Data Protection Law (PDPL)
  5. Spain BOE-A-2022-7191
  6. UAE National Information Assurance Framework (NIAF)
  7. EU General Data Protection Regulation (GDPR)
  8. US Data Privacy Framework
  9. US Oregon Data Privacy Act (SB619)
  10. US Texas Data Privacy & Security Act

Removed mappings to:

  1. Old version of EU GDPR mapping
  2. EU ePrivacy Directive
  3. Czech Republic Act No. 101/2000 on the Protection of Personal Data
  4. Denmark Act on Processing of Personal Data (Act No. 429 of May 31, 2000)
  5. Finland Personal Data Act (986/2000)
  6. France 78 17 / 2004 8021 - Information Technology, Data Files & Civil Liberty
  7. Luxembourg Protection of Personals with Regard to the Processing of Personal Data
  8. Portugal Act on the Protection of Personal Data
  9. Slovak Republic Protection of Personal Data (122/2013)
  10. UAE Data Protection Law No. 1 of 2007
  11. Indonesia Government Regulation No. 82 of 2012

New controls:

  1. CPL-01.3 - Ability To Demonstrate Conformity
  2. CPL-02.2 - Periodic Audits
  3. CPL-07 - Grievances
  4. CPL-07.1 - Grievance Response
  5. MON-17 - Event Log Analysis & Triage
  6. MON-17.1 - Event Log Review Escalation Matrix
  7. HRS-01.1 - Onboarding, Transferring & Offboarding Personnel
  8. HRS-14 - Identifying Authorized Work Locations
  9. HRS-14.1 - Communicating Authorized Work Locations
  10. HRS-15 - Reporting Suspicious Activities
  11. PES-19 - Physical Access Device Inventories
  12. PRI-01.8 - Data Fiduciary
  13. PRI-01.9 - Personal Data (PD) Process Manager
  14. PRI-01.10 - Financial Incentives For Personal Data (PD)
  15. PRI-03.9 - Continued Use of Personal Data (PD)
  16. PRI-03.10 - Cease Processing, Storing and/or Sharing Personal Data (PD)
  17. PRI-03.11 - Communicating Processing Changes
  18. PRI-04.7 - Personal Data (PD) Collection Methods
  19. PRI-05.8 - Personal Data (PD) Formats
  20. PRI-07.5 - Justification To Reject Disclosure Requests
  21. PRI-12.1 - Enabling Data Subjects To Update Personal Data (PD)
  22. VPM-05.6 - Pre-Deployment Patch Testing
  23. VPM-05.7 - Out-of-Cycle Patching

Renamed controls:

  1. MON-01.8 - Security Event Monitoring
  2. IRO-10.2 - Cyber Incident Reporting for Sensitive / Regulated Data
  3. PRI-01.7 - Limiting Personal Data (PD) Disclosures
  4. PRI-03.2 - Just-In-Time Notice & Updated Consent
  5. PRI-03.3 - Prohibition of Selling, Processing and/or Sharing Personal Data (PD)
  6. PRI-04.1 - Authority To Collect, Process, Store & Share Personal Data (PD)
  7. PRI-04.4 - Acquired Personal Data (PD)
  8. PRI-04.5 - Validate Collected Personal Data (PD)
  9. PRI-04.6 - Re-Validate Collected Personal Data (PD)
    10 PRI-05 - Personal Data (PD) Retention & Disposal
  10. PRI-05.1 - Internal Use of Personal Data (PD) For Testing, Training and Research
  11. PRI-05.4 - Usage Restrictions of Personal Data (PD)
  12. PRI-05.6 - Personal Data (PD) Inventory Automation Support
  13. PRI-06 - Data Subject Empowerment
  14. PRI-06.7 - Personal Data (PD) Exports
  15. PRI-07.2 - Joint Processing of Personal Data (PD)
  16. PRI-07.4 - Reject Unauthenticated or Untrustworthy Disclosure Requests
  17. PRI-14 - Documenting Data Processing Activities
  18. SAT-03.3 - Sensitive / Regulated Data Storage, Handling & Processing

Wordsmithed controls:

  1. GOV-08 - Defining Business Context & Mission
  2. GOV-16 - Materiality Determination
  3. CRY-07 - Wireless Access Authentication & Encryption
  4. DCH-18.1 - Minimize Sensitive / Regulated Data
  5. NET-15.1 - Authentication & Encryption
  6. PRI-01 - Data Privacy Program
  7. PRI-01.4 - Data Protection Officer (DPO)
  8. PRI-01.6 - Security of Personal Data (PD)
  9. PRI-02 - Data Privacy Notice
  10. PRI-02.1 - Purpose Specification
  11. PRI-02.2 - Automated Data Management Processes
  12. PRI-02.3 - Computer Matching Agreements (CMA)
  13. PRI-03 - Choice & Consent
  14. PRI-03.1 - Tailored Consent
  15. PRI-03.2 - Just-In-Time Notice & Updated Consent
  16. PRI-03.3 - Prohibition of Selling, Processing and/or Sharing Personal Data (PD)
  17. PRI-03.4 - Revoke Consent
  18. PRI-03.5 - Product or Service Delivery Restrictions
  19. PRI-04 - Restrict Collection To Identified Purpose
  20. PRI-04.1 - Authority To Collect, Process, Store & Share Personal Data (PD)
  21. PRI-04.3 - Identifiable Image Collection
  22. PRI-05.2 - Personal Data (PD) Accuracy & Integrity
  23. PRI-05.4 - Usage Restrictions of Personal Data (PD)
  24. PRI-05.5 - Inventory of Personal Data (PD)
  25. PRI-06 - Data Subject Empowerment
  26. PRI-06.3 - Appeal Adverse Decision
  27. PRI-06.4 - User Feedback Management
  28. PRI-06.5 - Right to Erasure
  29. PRI-06.6 - Data Portability
  30. PRI-06.7 - Personal Data (PD) Exports
  31. PRI-07.4 - Reject Unauthenticated or Untrustworthy Disclosure Requests
  32. PRI-09 - Personal Data (PD) Lineage
  33. PRI-14 - Documenting Data Processing Activities
  34. PRI-14.1 - Accounting of Disclosures
  35. PRI-17 - Data Subject Communications
  36. OPS-07 - Shadow Information Technology Detection
  37. SAT-03.3 - Sensitive / Regulated Data Storage, Handling & Processing

Updating mappings:
 ISO 27002:2022
o GOV-09 (corrected typo)
 NIST 800-171A
o CFG-02
o MON-08

Loading

2024.4

06 Mar 20:28
@securecontrolsframework securecontrolsframework
2024.4
a9eb95b
Compare
Choose a tag to compare
2024.4

Version 2024.4 represents a minor update, based on new and changed controls. You can download the new version from https://securecontrolsframework.com/scf-download/ and errata is available at https://securecontrolsframework.com/errata/

Added Set Theory Relationship Mappings (STRM) for:
 HIPAA Security Rule (NIST SP 800-66 R2)
 HIPAA Administrative Simplification
 CIS CSC 8.1
 CISA Cybersecurity Performance Goals (CPG)
 CISA Secure Software Development Attestation Form (SSDAF)

Removed mappings to:
 HIPAA
 NIST 800-66 R2 (combined it int o the new HIPAA Security Rule column)
 CIS CSC 8.0

New controls:
 SAT-05
 THR-06.1

Renamed controls:
 DCH-06.3
 DCH-18.1
 DCH-18.2

Wordsmithed controls:
 DCH-18.1
 DCH-18.2
 IRO-02
 IAO-02.2
 PRI-01.2
 RSK-02
 TDA-09
 TDA-15
 TPM-08

Updating mappings:
 FAR 52.204-21
o GOV-01
o GOV-02
o GOV-04
o GOV-04.1
o GOV-15
o PES-03
o PES-03.3
 NIS2
o AST-02
 NIST 800-53 R4
o CFG-02
o CFG-02.1
 NIST 800-53 R5
o CFG-02
o CFG-02.1
o MON-03
 NIST 800-171 R2
o CLD-06
o CLD-10
o CFG-02
o CFG-02.1
o NET-02.2
o PES-06.1
o WEB-02
o WEB-04
 NIST 800-171A
o CLD-06
o CLD-10
o NET-02.2
o PES-05
o PES-05.1
o PES-05.2
o PES-06
o PES-06.1
o WEB-02
o WEB-04
 NIST 800-171 R3
o DCH-14
o IAO-02
o NET-02.2
o PES-06.1
o TDA-02
 NIST 800-171A R3
o NET-02.2
o PES-06.1

Loading

2024.3

26 Sep 01:56
@securecontrolsframework securecontrolsframework
2024.3
67e7f57
Compare
Choose a tag to compare
2024.3

Version 2024.3 represents a minor update, based on new and changed controls. New content includes possible solutions & considerations based on BLS firm size classes 1-9.

Added Set Theory Relationship Mappings (STRM) for:

  • TISAX ISA v6.0.3
  • Australia ISM June 2024
  • New Zealand Health ISF 2022
  • PCI DSS v4
  • CIS CSC 8.0
  • CMMC Level 1 / FAR 52.204-21
  • NIST 800-171A

Removed mappings to:

  • TISAX ISA v5.1.0
  • Australia ISM 2022
  • New Zealand Health ISF

New controls:

  • IAC-01.3 - User & Service Account Inventories
  • NET-04.14 - Application Proxy
  • NET-06.7 - Software Defined Networking (SDN)
  • PES-01.2 - Zone-Based Physical Security
  • TDA-01.4 - DevSecOps

New risks:

  • R-SC-1 - Third-party cybersecurity exposure
  • R-SC-2 - Third-party physical security exposure
  • R-SC-3 - Third-party supply chain relationships, visibility and controls
  • R-SC-4 - Third-party compliance / legal exposure
  • R-SC-5 - Use of product / service
  • R-SC-6 - Reliance on the third-party

New threats:

  • MT-17 - Foreign Ownership, Control, or Influence (FOCI)
  • MT-18 - Geopolitical
  • MT-19 - Sanctions
  • MT-20 - Counterfeit / Non-Conforming Products
  • MT-21 - Operational Environment
  • MT-22 - Supply Chain Interdependencies
  • MT-23 - Third-Party Quality Deficiencies

Renamed controls:

  • AST-08
  • AST-15
  • BCD-06
  • BCD-10.4
  • DCH-18.1
  • IAC-10.8
  • NET-04.7
  • NET-18.1
  • TPM-05.8
  • THR-03

Wordsmithed controls:

  • MON-01.4
  • DCH-18.1
  • HRS-03
  • IAC-10.8
  • NET-04.7
  • THR-03

Updating mappings:

  • CIS

    AST-01
    AST-02.2
    AST-02.9
    AST-03.2
    BCD-11.5
    CHG-06
    CFG-01
    CFG-02
    CFG-02.1
    CFG-03
    CFG-03.2
    CFG-05.2
    CFG-06.1
    MON-01
    MON-01.4
    MON-03
    MON-04
    CRY-01
    CRY-05
    CRY-05.1
    DCH-01.2
    DCH-01.4
    DCH-14.3
    END-04
    END-04.3
    END-04.7
    END-05
    END-06.2
    END-08
    HRS-05.3
    HRS-05.4
    IAC-01
    IAC-01.2
    IAC-03
    IAC-04
    IAC-08
    IAC-13.1
    IAC-13.2
    IAC-15.1
    IAC-16
    IRO-02
    IRO-04
    IRO-06
    IRO-07
    IRO-10
    IRO-15
    MDM-01
    MDM-06
    MDM-07
    NET-03
    NET-08.3
    NET-20.4
    RSK-06.2
    RSK-09.1
    SAT-03
    SAT-03.8
    SAT-03.9
    TDA-01
    TDA-01.1
    TDA-02
    TDA-02.1
    TDA-02.5
    TDA-02.6
    TDA-17
    TPM-05.4
    TPM-05.5
    TPM-08
    THR-06
    VPM-04
    VPM-05.1
    VPM-06.6
    VPM-06.7
    VPM-07
    WEB-07
    WEB-08

  • CMMC Level 1

    IAC-02
    IAC-04
    IAC-15
    IAC-20
    NET-03
    TPM-01
    VPM-02
    VPM-04
    VPM-05
    WEB-01
    WEB-02
    WEB-04

  • FAR 52.204-21

    GOV-01
    GOV-02
    GOV-04
    GOV-04.1
    GOV-15
    AST-01
    CLD-03
    CLD-04
    CLD-07
    CLD-09
    CPL-01
    CFG-03
    DCH-01
    DCH-16
    DCH-21
    END-01
    END-04
    HRS-01
    HRS-05
    IAC-04
    IAC-09
    IAC-10
    IAC-10.1
    IAC-15.1
    IRO-15
    NET-02
    NET-05.1
    NET-08.1
    NET-14
    NET-14.5
    PES-01
    PES-03
    PES-03.1
    PES-03.3
    SEA-01
    SEA-02
    SEA-03
    TDA-11.2
    TPM-01
    TPM-05
    TPM-05.2
    THR-03

  • PCI DSS v4

    GOV-01
    GOV-02
    GOV-03
    GOV-04
    AST-01
    AST-02
    AST-04.2
    AST-04.3
    AST-05
    BCD-11
    CHG-01
    CHG-02
    CHG-02.4
    CPL-01
    CFG-01
    CFG-02
    CFG-02.1
    CFG-02.5
    CFG-03
    CFG-03.1
    MON-01
    MON-01.4
    MON-01.7
    MON-01.8
    MON-01.10
    MON-03
    MON-16
    CRY-01
    CRY-02
    CRY-03
    CRY-05
    CRY-05.1
    CRY-09
    DCH-01.2
    DCH-03.1
    DCH-06
    DCH-06.1
    DCH-06.5
    DCH-07
    DCH-08
    DCH-13.1
    DCH-18
    END-01
    END-04
    END-04.1
    END-04.7
    END-06
    END-08
    END-16
    HRS-03
    HRS-03.1
    IAC-01
    IAC-03
    IAC-06.1
    IAC-06.2
    IAC-10
    IAC-10.1
    IAC-12
    IAC-17
    IAC-20.6
    IAC-21
    IRO-01
    IRO-02
    IRO-12.3
    IRO-13
    IAO-04
    NET-01
    NET-02
    NET-02.2
    NET-04.7
    NET-06
    NET-08.1
    NET-09
    NET-12
    NET-12.1
    NET-14
    NET-15
    NET-15.1
    PES-01
    PES-02
    PES-02.1
    PES-06.4
    PRI-05
    PRI-05.5
    PRI-08
    RSK-05
    RSK-06
    RSK-06.2
    SEA-01
    SEA-02.3
    SEA-04.1
    OPS-01
    OPS-01.1
    SAT-01
    SAT-02
    SAT-03
    SAT-03.3
    SAT-03.5
    SAT-03.6
    SAT-04
    TDA-07
    TDA-15
    TPM-01
    TPM-04
    TPM-04.4
    TPM-05
    THR-01
    VPM-01
    VPM-01.1
    VPM-02
    VPM-03
    VPM-04
    VPM-06
    VPM-06.2
    VPM-06.6
    VPM-06.7
    WEB-10

Loading

SCF 2024.2.1

03 Jul 20:29
@securecontrolsframework securecontrolsframework
2024.2.1
67e7f57
Compare
Choose a tag to compare
SCF 2024.2.1

Version 2024.2.1 corrects a formatting issue for the following controls:

  • AST-01.4
  • AST-02
  • AST-02.1
  • AST-02.2
  • AST-02.3
  • AST-02.4
  • AST-02.5
  • AST-02.6
  • AST-02.7
  • AST-02.8
  • AST-02.9
  • AST-02.10
  • AST-02.11
  • AST-03
Loading

2024.2: SCF 2024.1.1

23 May 13:06
@securecontrolsframework securecontrolsframework
2024.2
b14c205
Compare
Choose a tag to compare
2024.2: SCF 2024.1.1

Version 2024.2 represents a moderate update, based on new and changed controls. There is an addition of tagging controls based on People, Processes, Technology, Data & Facilities (PPTDF) Applicability:

  • People - A "people" control is primarily applied to humans (e.g., employees, contractors, third-parties, etc.)
  • Process - A "process" control is primarily applied to a manual or automated process.
  • Technology - A "technology" control is primarily applied to a system, application and/or service.
  • Data - A "data" control is primarily applied to data (e.g., CUI, CHD, PII, etc.).
  • Facility - A "facility" control is primarily applied to a physical building (e.g., office, data center, warehouse, home office, etc.)

There is also the addition of the "MSP/MSSP Secure Practices Baseline" as the SCF-M sub-control set. This is intended to help organizations perform Cybersecurity Supply Chain Risk Management (C-SCRM) assessments of their Managed Service Providers (MSP) and Managed Security Service Providers (MSSP). SCF-M is specifically tailored for identifying reasonable controls across a set of common compliance expectations. SCF-M is comprised of controls from:

  • AICPA / CICA Privacy Maturity Model (GAPP)
  • NAIC Insurance Data Security Model Law (MDL-668)
  • NIST 800-161 rev 1 C-SCRM Baseline
  • NIST 800-171 rev 3
  • NIST 800-207 (Zero Trust Architecture)
  • NIST CSF v2.0 IPD
  • OWASP Top 10 v2021
  • DHS CISA TIC 3.0
  • FAR Section 889
  • GLBA CFR 314 (Dec 2023)
  • SEC Cybersecurity Rule

Added mappings:

  • NIST 800-171 R3
  • NIST 800-171A R3
  • NY DFS 23 NYCRR500 2023 Amendment 2

New controls:

  • AST-01.4: Approved Technologies
  • CFG-06.1: Integrity Assurance & Enforcement (IAE)
  • END-14.6: Explicit Indication Of Use
  • SAT-03.9: Counterintelligence Training
  • THR-03.1: Threat Intelligence Reporting

Renamed controls:

  • CFG-03.3: Explicitly Allow / Deny Applications
  • CHG-04.4: Permissions To Implement Changes
  • CHG-06: Control Functionality Verification
  • CLD-11: Cloud Access Security Broker (CASB)
  • CRY-01.2: Export-Controlled Cryptography
  • END-06.2: Endpoint Detection & Response (EDR)
  • IAC-13.1: Single Sign-On (SSO) Transparent Authentication
  • NET-05: Interconnection Security Agreements (ISAs)
  • NET-06: Network Segmentation (macrosegementation)
  • NET-07: Network Connection Termination

Wordsmithed controls:

  • IAC-06.4
  • CFG-03.3
  • CHG-06
  • CLD-04
  • CLD-11
  • DCH-14.3
  • END-06
  • END-07
  • IAC-21.3
  • IAC-28
  • MDM-01
  • MON-01.4
  • NET-04
  • NET-05
  • NET-07
  • NET-14.7
  • PES-03.3
  • PRI-05.3
  • PRI-10
  • SAT-03.6
  • TDA-02.3
  • THR-03
  • VPM-06

Updating mappings:

ISO 27001:2022

  • GOV-10
  • AST-02.9
  • AST-04.1
  • AST-06
  • END-09
  • IAC-21.3
  • NET-01
  • NET-03.3
  • NET-03.5
  • PRI-05.5
  • TPM-05.4

ISO 27002:2002

  • GOV-10
  • AST-02.9
  • AST-04.1
  • AST-06
  • END-09
  • IAC-21.3
  • NET-01
  • NET-03.3
  • NET-03.5
  • PRI-05.5
  • TPM-05.4

ISO 27017

  • IRO-11

NIST 800-161

  • BCD-08
  • BCD-09
  • CAP-02
  • CFG-01.1
  • CFG-03.4
  • CFG-04.1
  • CHG-06
  • CLD-09
  • CRY-05
  • DCH-19
  • GOV-02
  • GOV-03
  • GOV-06
  • GOV-10
  • HRS-05
  • IAC-01.2
  • IAC-20
  • IAC-21
  • IRO-02
  • IRO-02.5
  • IRO-10
  • IRO-10.4
  • IRO-11
  • IRO-14
  • MNT-02
  • NET-04.2
  • NET-04.5
  • NET-11
  • PES-01
  • PRI-13
  • RSK-09
  • SAT-02
  • SAT-03
  • SAT-03.9
  • SEA-01
  • SEA-07
  • SEA-15
  • TDA-01
  • TDA-04
  • TDA-04.1
  • TDA-04.2
  • TDA-05
  • TDA-06.1
  • TPM-03
  • TPM-04
  • TPM-05.4
  • TPM-05.7
  • THR-01
  • THR-03

NIST 800-53 R5

  • RSK-09
  • TPM-02
  • TPM-03
  • TPM-05
  • TPM-05.4
  • TPM-05.7

NIST 800-171A

  • IAO-03
  • IAO-05
  • IAC-03
  • IAC-05
Loading

SCF 2024.1.1

27 Mar 16:18
@securecontrolsframework securecontrolsframework
2024.1
8f07150
Compare
Choose a tag to compare
SCF 2024.1.1

Version 2024.1.1 corrects the TSC 2017 mapping, which was cut off. That has been corrected.

Version 2024.1 represents a minor update.

  • There are new controls.
  • The SCF started utilizing Set Theory Relationship Mapping (STRM) per NIST IR 8477.

Added Mapping:

  • NIST Cybersecurity Framework 2.0 (NIST CSF 2.0)
  • NIST SP 800-207
  • DoD Zero Trust Reference Architecture v2 (July 2022)
  • Australia Essential 8
  • China Cybersecurity Law (2017)
  • Criminal Justice Information Services (CJIS) 5.9.3
  • Trusted Internet Connections 3.0
  • Digital Operational Resilience Act (DORA)
  • FTC's Standards for Safeguarding Consumer Information (GLBA 2023)
  • IEC TR 60601-4-5:2021
  • ISO 42001:2024
  • NIS 2 Directive
  • NY DFS NYCRR500 (2023)
  • SEC Cybersecurity Rule (2023)
  • Spain Royal Decree 311/2022
  • Space Attack Research & Tactic Analysis (SPARTA) Countermeasures
  • Tennessee Information Protection Act
  • Trust Services Criteria (TSC) 2017 with 2022 Points of Focus

New Controls:

  • GOV-16: Materiality Determination
  • GOV-16.1: Material Risks
  • GOV-16.2: Material Threats
  • GOV-17: Cybersecurity & Data Privacy Status Reporting
  • AAT-12.1: Data Source Identification
  • AAT-12.2: Data Source Integrity
  • BCD-01.5: Recovery Operations Criteria
  • BCD-01.6: Recovery Operations Communications
  • BCD-13.1: Restoration Integrity Verification
  • CAP-05: Elastic Expansion
  • CAP-06: Regional Delivery
  • CRY-12: Certificate Monitoring
  • DCH-27: Data Rights Management (DRM)
  • END-14.3: Participant Identity Verification
  • END-14.4: Participant Connection Management
  • END-14.5: Malicious Link & File Protections
  • IAC-04.2: Device Authorization Enforcement
  • IAC-13.3: Continuous Authentication
  • NET-06.6: Microsegmentation
  • NET-08.3: Host Containment
  • NET-08.4: Resource Containment
  • NET-18.4: Protocol Compliance Enforcement
  • NET-18.5: Domain Name Verification
  • NET-18.6: Internet Address Denylisting
  • NET-18.7: Bandwidth Control
  • NET-18.8: Authenticated Proxy
  • NET-18.9: Certificate Denylisting
  • NET-19: Content Disarm and Reconstruction (CDR)
  • NET-20: Email Content Protections
  • NET-20.1: Email Domain Reputation Protections
  • NET-20.2: Sender Denylisting
  • NET-20.3: Authenticated Received Chain (ARC)
  • NET-20.4: Domain-Based Message Authentication Reporting and Conformance (DMARC)
  • NET-20.5: User Digital Signatures for Outgoing Email
  • NET-20.6: Encryption for Outgoing Email
  • NET-20.7: Adaptive Email Protections
  • NET-20.8: Email Labeling
  • NET-20.9: User Threat Reporting
  • PRI-18: Data Controller Communications
  • SEA-04.4: System Privileges Isolation
  • SEA-21: Application Container
  • OPS-06: Security Orchestration, Automation, and Response (SOAR)
  • OPS-07: Shadow Information Technology Detection
  • THR-11: Behavioral Baselining

Control Wordsmithing:

  • AAT-12
  • CFG-02.2
  • DCH-22
  • NET-18
  • PRI-01.3
  • PRI-02
  • RSK-01
  • RSK-01.1
  • TPM-05

Updated Mapping:
NIST SP 800-53 R5

  • AST-08
  • IAC-09.3
  • TDA-06.2
  • TDA-13

NIST 800-171 R2

  • IAC-08
  • IAC-15.1

DORA

  • GOV-01
  • GOV-01.2
  • GOV-15
  • CPL-01
  • CPL-01.2
  • MON-01
  • MON-16
  • IRO-01
  • IRO-10
  • NET-08
  • RSK-09
  • SEA-01
  • TDA-17.1
  • TPM-01
  • TPM-03
  • TPM-03.1
  • TPM-04
  • TPM-05
  • TPM-05.7
  • TPM-08
  • VPM-07.1
Loading

SCF 2023.4

05 Dec 00:53
@securecontrolsframework securecontrolsframework
2023.4
73198c3
Compare
Choose a tag to compare
SCF 2023.4

Version 2023.4 represents a minor update.

  • There are new controls.
  • Risk & threat models were updated.

Added Mapping:

  • CIS CSC v8.0 IG1-IG3
  • ISO/SAE 21434:2021 - Road vehicles β€” Cybersecurity engineering
  • NIST SP 800-82 - Guide to Industrial Control Systems (ICS) Security Rev 3 (OT Overlay low, mod, high)
  • NIST SP 800-171 R3 Final Public Draft (FPD)
  • NIST 800-171A R3 Initial Public Draft (IPD)
  • UN - UNECE WP.29
  • US - 52.204-27 Prohibition on a ByteDance Covered Application
  • Germany - Banking Supervisory Requirements for IT (BAIT)
  • Australia - Prudential Standard CPS 230 - Operational Risk Management

New Controls:

  • CLD-13: Hosted Systems, Applications & Services
  • CLD-13.1: Authorized Individuals For Hosted Systems, Applications & Services
  • CLD-13.2: Sensitive/Regulated Data On Hosted Systems, Applications & Services
  • CLD-14: Prohibition On Unverified Hosted Systems, Applications & Services
  • DCH-01.4: Defining Access Authorizations for Sensitive/Regulated Data
  • IAC-20.7: Authorized System Accounts
  • TPM-03.4: Adequate Supply
  • WEB-14: Publicly Accessible Content Reviews

Renamed Controls:

  • CPL-02 - Cybersecurity & Data Protection Controls Oversight
  • CPL-03 - Cybersecurity & Data Protection Assessments
  • CPL-03.2 - Functional Review Of Cybersecurity & Data Protection Controls
  • DCH-09 - System Media Sanitization
  • DCH-09.1 - System Media Sanitization Documentation
  • IAC-02.2 - Replay-Resistant Authentication
  • IAC-15.1 - Automated System Account Management (Directory Services)
  • IAC-15.7 - System Account Reviews

Control Wordsmithing:

  • AST-02.5 - Network Access Control (NAC)
  • BCD-11.7 - Redundant Secondary System
  • CPL-02 - Cybersecurity & Data Protection Controls Oversight
  • CPL-03 - Cybersecurity & Data Protection Assessments
  • CPL-03.1 - Independent Assessors
  • CPL-03.2 - Functional Review Of Cybersecurity & Data Protection Controls
  • CFG-03.4 - Split Tunneling
  • MON-03 - Content of Event Logs
  • DCH-09 - System Media Sanitization
  • DCH-09.1 - System Media Sanitization Documentation
  • DCH-14.3 - Data Access Mapping
  • IAC-02.2 - Replay-Resistant Authentication
  • IAC-15.1 - Automated System Account Management (Directory Services)
  • IAC-15.7 - System Account Reviews
  • VPM-06.5 - Review Historical Event Logs

New Threats:

  • MT-14: Willful Criminal Conduct
  • MT-15: Conflict of Interest (COI)
  • MT-16: Macroeconomics

Updated Mapping:
NIST SP 800-53 R5

AST-03
AST-04.1
BCD-10.4
BCD-12.2
BCD-13
CLD-03
CFG-08
MON-07.1
MON-08.1
END-12
IAC-01.2
MNT-05.1
MNT-08
NET-06.5
NET-14.8
PES-05.2
SEA-07.2
SEA-07.3
SAT-03.2
TPM-03.4

  • CIS 8.0

CRY-05
END-04
END-04.3

  • DFARS

GOV-06
GOV-15.1
GOV-15.2
AST-17
CPL-01
CPL-01.1
DCH-01.2
END-04
IRO-04.1
IRO-08
IRO-10
IRO-10.2
IRO-10.4
IRO-12
IAO-02
SEA-02.1
TPM-01
TPM-01.1
TPM-05
TPM-05.2

Loading