/
SCF 2024.1.1 Errata.txt
117 lines (111 loc) · 3.35 KB
/
SCF 2024.1.1 Errata.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
Version 2024.1.1 was released to correct an error with the TSC 2017 mapping. Not all content was included, which has been corrected.
Version 2024.1 represents a minor update.
- There are new controls to address newly mapped laws, regulations and frameworks.
- The SCF started utilizing Set Theory Relationship Mapping (STRM) per NIST IR 8477 - https://securecontrolsframework.com/set-theory-relationship-mapping-strm/
Added Mapping:
- NIST Cybersecurity Framework 2.0 (NIST CSF 2.0)
- NIST SP 800-207
- DoD Zero Trust Reference Architecture v2 (July 2022)
- Australia Essential 8
- China Cybersecurity Law (2017)
- Criminal Justice Information Services (CJIS) 5.9.3
- Trusted Internet Connections 3.0
- Digital Operational Resilience Act (DORA)
- FTC's Standards for Safeguarding Consumer Information (GLBA 2023)
- IEC TR 60601-4-5:2021
- ISO 42001:2024
- NIS 2 Directive
- NY DFS NYCRR500 (2023)
- SEC Cybersecurity Rule (2023)
- Spain Royal Decree 311/2022
- Space Attack Research & Tactic Analysis (SPARTA) Countermeasures
- Tennessee Information Protection Act
- Trust Services Criteria (TSC) 2017 with 2022 Points of Focus
New Controls:
- GOV-16: Materiality Determination
- GOV-16.1: Material Risks
- GOV-16.2: Material Threats
- GOV-17: Cybersecurity & Data Privacy Status Reporting
- AAT-12.1: Data Source Identification
- AAT-12.2: Data Source Integrity
- BCD-01.5: Recovery Operations Criteria
- BCD-01.6: Recovery Operations Communications
- BCD-13.1: Restoration Integrity Verification
- CAP-05: Elastic Expansion
- CAP-06: Regional Delivery
- CRY-12: Certificate Monitoring
- DCH-27: Data Rights Management (DRM)
- END-14.3: Participant Identity Verification
- END-14.4: Participant Connection Management
- END-14.5: Malicious Link & File Protections
- IAC-04.2: Device Authorization Enforcement
- IAC-13.3: Continuous Authentication
- NET-06.6: Microsegmentation
- NET-08.3: Host Containment
- NET-08.4: Resource Containment
- NET-18.4: Protocol Compliance Enforcement
- NET-18.5: Domain Name Verification
- NET-18.6: Internet Address Denylisting
- NET-18.7: Bandwidth Control
- NET-18.8: Authenticated Proxy
- NET-18.9: Certificate Denylisting
- NET-19: Content Disarm and Reconstruction (CDR)
- NET-20: Email Content Protections
- NET-20.1: Email Domain Reputation Protections
- NET-20.2: Sender Denylisting
- NET-20.3: Authenticated Received Chain (ARC)
- NET-20.4: Domain-Based Message Authentication Reporting and Conformance (DMARC)
- NET-20.5: User Digital Signatures for Outgoing Email
- NET-20.6: Encryption for Outgoing Email
- NET-20.7: Adaptive Email Protections
- NET-20.8: Email Labeling
- NET-20.9: User Threat Reporting
- PRI-18: Data Controller Communications
- SEA-04.4: System Privileges Isolation
- SEA-21: Application Container
- OPS-06: Security Orchestration, Automation, and Response (SOAR)
- OPS-07: Shadow Information Technology Detection
- THR-11: Behavioral Baselining
Renamed Controls:
none
Control Wordsmithing:
- AAT-12
- CFG-02.2
- DCH-22
- NET-18
- PRI-01.3
- PRI-02
- RSK-01
- RSK-01.1
- TPM-05
Updated Mapping:
- NIST SP 800-53 R5
> AST-08
> IAC-09.3
> TDA-06.2
> TDA-13
- NIST 800-171 R2
> IAC-08
> IAC-15.1
- DORA
> GOV-01
> GOV-01.2
> GOV-15
> CPL-01
> CPL-01.2
> MON-01
> MON-16
> IRO-01
> IRO-10
> NET-08
> RSK-09
> SEA-01
> TDA-17.1
> TPM-01
> TPM-03
> TPM-03.1
> TPM-04
> TPM-05
> TPM-05.7
> TPM-08
> VPM-07.1