Version 2025.2.2 is a minor update that is released to announce the new SCF Cybersecurity Oversight, Resilience and Enablement (CORE) baselines:
- SCF CORE Fundamentals
- SCF CORE MA&D (Mergers, Acquisitions & Divestitures)
There are also a few minor updates to existing controls in the 2025.2.2 release:
Corrects the addition of New Zealand HISF 2022 mapping:
- TPM-01
- TPM-04.1
- TPM-05
- TPM-08
CMMC 2.0 Level 2 (updated mappings to correspond to NIST 800-171 R2 STRM)
- CLD-06
- CLD-10
- CFG-02.1
- IAC-15.1
- NET-02.2
- PES-06.1
- WEB-02
- WEB-04
Renamed Control
- HRS-06.2
- HRS-09.3
Wordsmithed Control
- HRS-06.2
- HRS-09.3
- IAC-01.3
- NET-06
Removes mapping for:
- UK GDPR (redundant with STRM for EU GDPR mapping)
Version 2025.2.1 corrects a few items in the AAT domain due to a correction in the Set Theory Relationship Mapping (STRM) for NIST AI 600-1 and the EU AI Act:
EI AI Act changes:
- AAT-22
- AAT-22.3
- AAT-22.4
NIST AI 600-1 changes:
- AAT-06
- AAT-10
- AAT-24
- AAT-26
- AAT-26.1
- TDA-22
Version 2025.2 represents a major update, based on number of new and changed controls in the Secure Controls Framework (SCF). There are seventy-nine (79) new controls in SCF 2025.2 and the majority of the new controls are focused on the governance of Artificial Intelligence (AI).
You can download the new version of the SCF and errata from:
SCF https://securecontrolsframework.com/scf-download/
Errata https://securecontrolsframework.com/errata/
Added / Updated Set Theory Relationship Mappings (STRM) for:
EU Artificial Intelligence (AI)I Act (Regulation (EU) 2024/1689)
EU Cyber Resilience Act
EU Cyber Resilience Act - Annexes
ENISA NIS2 Annex
Farm Credit Administration (FCA) Cyber Risk Management
NAIC Insurance Data Security Model Law 668
NERC CIP (2024)
NIST AI 100-1 (AI Risk Management Framework)
NIST AI 600-1 (NIST Trustworthy and Responsible AI)
NIST SP 800-171 R3
NIST SP 800-171A R3
NIST SP 800-218 v1.1
NZ Health Information Security Framework (2022)
HISO 10029:2024 NZ Health Information Security Framework Guidance for Suppliers
Removed SCF mappings to:
South Carolina Insurance Data Security Act (directly maps to NAIC Insurance Data Security Model Law 668)
New controls:
GOV-01.3 - Commitment To Continual Improvements
GOV-18 - Quality Management System (QMS)
AAT-02.3 - Adequate Protections For AI & Autonomous Technologies
AAT-09.1 - AI & Autonomous Technologies High Risk Designations
AAT-10.15 - AI TEVV Reporting
AAT-10.16 - AI TEVV Empirically Validated Methods
AAT-10.17 - AI TEVV Benchmarking Content Provenance
AAT-10.18 - AI TEVV Model Collapse Mitigations
AAT-12.3 - Data Source Lineage & Origin Disclosure
AAT-12.4 - Digital Content Modification Logging
AAT-16.8 - AI & Autonomous Technologies Event Logging
AAT-16.9 - Serious Incident Reporting For AI & Autonomous Technologies
AAT-16.10 - Serious Incident Root Cause Analysis (RCA) For AI & Autonomous Technologies
AAT-17.4 - Novel Risk Assessment Methods & Technologies
AAT-17.5 - Fine Tuning Risk Mitigation
AAT-19 - AI & Autonomous Technologies Conformity
AAT-19.1 - Manipulative or Deceptive Techniques
AAT-19.2 - Materially Distorting Behaviors
AAT-19.3 - Social Scoring
AAT-19.4 - Detrimental or Unfavorable Treatment
AAT-19.5 - Risk and Criminal Profiling
AAT-19.6 - Populating Facial Recognition Databases
AAT-19.7 - Emotion Inference
AAT-19.8 - Biometric Categorization
AAT-20 - AI & Autonomous Technologies Development Practices
AAT-20.1 - AI & Autonomous Technologies Transparency
AAT-20.2 - AI & Autonomous Technologies Implementation Documentation
AAT-20.3 - AI & Autonomous Technologies Human Domain Knowledge Reliance
AAT-21 - AI & Autonomous Technologies Registration
AAT-22 - AI & Autonomous Technologies Deployment
AAT-22.1 - AI & Autonomous Technologies Human Oversight
AAT-22.2 - AI & Autonomous Technologies Oversight Measures
AAT-22.3 - AI & Autonomous Technologies Separate Verification
AAT-22.4 - AI & Autonomous Technologies Oversight Functions Competency
AAT-22.5 - AI & Autonomous Technologies Data Relevance
AAT-22.6 - AI & Autonomous Technologies Irregularity Reporting
AAT-22.7 - AI & Autonomous Technologies Use Notification To Employees
AAT-22.8 - AI & Autonomous Technologies Use Notification To Users
AAT-23 - AI & Autonomous Technologies Output Marking
AAT-24 - Real World Testing of AI & Autonomous Technologies
AAT-25 - AI & Autonomous Technologies System Value Chain
AAT-25.1 - AI & Autonomous Technologies System Value Chain Fallbacks
AAT-26 - AI & Autonomous Technologies Testing Techniques
AAT-26.1 - Generative Artificial Intelligence (GAI) Identification
AAT-26.2 - AI & Autonomous Technologies Capabilities Testing
AAT-26.3 - Real-World Testing
AAT-26.4 - Documenting Testing Guidance
AAT-27 - AI & Autonomous Technologies Output Filtering
AAT-27.1 - Human Moderation
AST-31.2 - High-Risk Asset Categorization
BCD-06.1 - Contingency Planning Components
BCD-06.2 - Contingency Plan Update Notifications
CHG-07 - Emergency Changes
CHG-07.1 - Documenting Emergency Changes
CPL-01.4 - Conformity Assessment
CPL-01.5 - Declaration of Conformity
CPL-02.3 - Corrective Action
CPL-03.3 - Assessor Access
CPL-08 - Localized Representation
CPL-08.1 - Representative Powers
MON-02.9 - Inventory of Technology Asset Event Logging
HRS-07.2 - Updating Disciplinary Processes
IAC-10.13 - Events Requiring Authenticator Change
IRO-09.2 - Recurring Incident Analysis
IRO-10.5 - Serious Incident Reporting
RSK-04.2 - Risk Assessment Methodology
SAT-01.1 - Maintaining Workforce Development Relevancy
TDA-02.8 - Minimizing Attack Surfaces
TDA-02.9 - Ongoing Product Security Support
TDA-02.10 - Product Testing & Reviews
TDA-02.11 - Disclosure of Vulnerabilities
TDA-02.12 - Products With Digital Elements
TDA-02.13 - Reporting Exploitable Vulnerabilities
TDA-21 - Product Conformity Governance
TDA-22 - Technical Documentation Artifacts
TDA-22.1 - Product-Specific Risk Assessment Artifacts
VPM-04.3 - Deferred Patching Decisions
VPM-05.8 - Software Patch Integrity
Renamed controls:
AAT-07.1 - AI & Autonomous Technologies Impact Assessment
HRS-05.3 - Technology Use Restrictions
IRO-12 - Sensitive / Regulated Data Spill Response
IRO-12.1 - Sensitive / Regulated Data Spill Responsible Personnel
IRO-12.2 - Sensitive / Regulated Data Spill Training
IRO-12.3 - Post-Sensitive / Regulated Data Spill Operations
IRO-12.4 - Sensitive / Regulated Data Exposure to Unauthorized Personnel
TDA-06 - Secure Software Development Practices (SSDP)
TPM-03 - Supply Chain Risk Management (SCRM)
Wordsmithed controls:
GOV-03 - Periodic Review & Update of Cybersecurity & Data Protection Program
AAT-07.1 - AI & Autonomous Technologies Impact Assessment
AAT-08 - Assigned Responsibilities for AI & Autonomous Technologies
AAT-09 - AI & Autonomous Technologies Risk Profiling
AAT-10 - Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV)
AAT-10.3 - AI TEVV Trustworthiness Demonstration
AAT-16.7 - Pre-Trained AI & Autonomous Technologies Models
BCD-06 - Ongoing Contingency Planning
CPL-03 - Cybersecurity & Data Protection Assessments
HRS-04.2 - Formal Indoctrination
HRS-05.3 - Technology Use Restrictions
HRS-15 - Reporting Suspicious Activities
IAC-10 - Authenticator Management
IRO-12 - Sensitive / Regulated Data Spill Response
IRO-12.1 - Sensitive / Regulated Data Spill Responsible Personnel
IRO-12.2 - Sensitive / Regulated Data Spill Training
IRO-12.3 - Post-Sensitive / Regulated Data Spill Operations
IRO-12.4 - Sensitive / Regulated Data Exposure to Unauthorized Personnel
TDA-01.1 - Product Management
TDA-02 - Minimum Viable Product (MVP) Security Requirements
TDA-06 - Secure Software Development Practices (SSDP)
TPM-03 - Supply Chain Risk Management (SCRM)
Updating mappings:
Canada ITSP-10-171
o HRS-04
o HRS-05.1
o IAC-02
o IAC-25
CISA SSDAF
o AST-03.2
o TDA-04.2
NIST 800-171 R3
o HRS-04
o HRS-05.1
o IAC-02
o IAC-25
NIST 800-171A R3
o HRS-04
o IAC-02
o TDA-02.3