-
Notifications
You must be signed in to change notification settings - Fork 39
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Showing
6 changed files
with
115 additions
and
105 deletions.
There are no files selected for viewing
Binary file renamed
BIN
+4.35 MB
...re Controls Framework (SCF) - 2023.4.xlsx → ...re Controls Framework (SCF) - 2024.1.xlsx
Binary file not shown.
Binary file renamed
BIN
+1.27 MB
...view & Recommended Practices (2023.2).pdf → ...view & Recommended Practices (2024.1).pdf
Binary file not shown.
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,115 @@ | ||
Version 2024.1 represents a minor update. | ||
- There are new controls to address newly mapped laws, regulations and frameworks. | ||
- The SCF started utilizing Set Theory Relationship Mapping (STRM) per NIST IR 8477 - https://securecontrolsframework.com/set-theory-relationship-mapping-strm/ | ||
|
||
Added Mapping: | ||
- NIST Cybersecurity Framework 2.0 (NIST CSF 2.0) | ||
- NIST SP 800-207 | ||
- DoD Zero Trust Reference Architecture v2 (July 2022) | ||
- Australia Essential 8 | ||
- China Cybersecurity Law (2017) | ||
- Criminal Justice Information Services (CJIS) 5.9.3 | ||
- Trusted Internet Connections 3.0 | ||
- Digital Operational Resilience Act (DORA) | ||
- FTC's Standards for Safeguarding Consumer Information (GLBA 2023) | ||
- IEC TR 60601-4-5:2021 | ||
- ISO 42001:2024 | ||
- NIS 2 Directive | ||
- NY DFS NYCRR500 (2023) | ||
- SEC Cybersecurity Rule (2023) | ||
- Spain Royal Decree 311/2022 | ||
- Space Attack Research & Tactic Analysis (SPARTA) Countermeasures | ||
- Tennessee Information Protection Act | ||
- Trust Services Criteria (TSC) 2017 with 2022 Points of Focus | ||
|
||
New Controls: | ||
- GOV-16: Materiality Determination | ||
- GOV-16.1: Material Risks | ||
- GOV-16.2: Material Threats | ||
- GOV-17: Cybersecurity & Data Privacy Status Reporting | ||
- AAT-12.1: Data Source Identification | ||
- AAT-12.2: Data Source Integrity | ||
- BCD-01.5: Recovery Operations Criteria | ||
- BCD-01.6: Recovery Operations Communications | ||
- BCD-13.1: Restoration Integrity Verification | ||
- CAP-05: Elastic Expansion | ||
- CAP-06: Regional Delivery | ||
- CRY-12: Certificate Monitoring | ||
- DCH-27: Data Rights Management (DRM) | ||
- END-14.3: Participant Identity Verification | ||
- END-14.4: Participant Connection Management | ||
- END-14.5: Malicious Link & File Protections | ||
- IAC-04.2: Device Authorization Enforcement | ||
- IAC-13.3: Continuous Authentication | ||
- NET-06.6: Microsegmentation | ||
- NET-08.3: Host Containment | ||
- NET-08.4: Resource Containment | ||
- NET-18.4: Protocol Compliance Enforcement | ||
- NET-18.5: Domain Name Verification | ||
- NET-18.6: Internet Address Denylisting | ||
- NET-18.7: Bandwidth Control | ||
- NET-18.8: Authenticated Proxy | ||
- NET-18.9: Certificate Denylisting | ||
- NET-19: Content Disarm and Reconstruction (CDR) | ||
- NET-20: Email Content Protections | ||
- NET-20.1: Email Domain Reputation Protections | ||
- NET-20.2: Sender Denylisting | ||
- NET-20.3: Authenticated Received Chain (ARC) | ||
- NET-20.4: Domain-Based Message Authentication Reporting and Conformance (DMARC) | ||
- NET-20.5: User Digital Signatures for Outgoing Email | ||
- NET-20.6: Encryption for Outgoing Email | ||
- NET-20.7: Adaptive Email Protections | ||
- NET-20.8: Email Labeling | ||
- NET-20.9: User Threat Reporting | ||
- PRI-18: Data Controller Communications | ||
- SEA-04.4: System Privileges Isolation | ||
- SEA-21: Application Container | ||
- OPS-06: Security Orchestration, Automation, and Response (SOAR) | ||
- OPS-07: Shadow Information Technology Detection | ||
- THR-11: Behavioral Baselining | ||
|
||
Renamed Controls: | ||
none | ||
|
||
Control Wordsmithing: | ||
- AAT-12 | ||
- CFG-02.2 | ||
- DCH-22 | ||
- NET-18 | ||
- PRI-01.3 | ||
- PRI-02 | ||
- RSK-01 | ||
- RSK-01.1 | ||
- TPM-05 | ||
|
||
Updated Mapping: | ||
- NIST SP 800-53 R5 | ||
> AST-08 | ||
> IAC-09.3 | ||
> TDA-06.2 | ||
> TDA-13 | ||
- NIST 800-171 R2 | ||
> IAC-08 | ||
> IAC-15.1 | ||
- DORA | ||
> GOV-01 | ||
> GOV-01.2 | ||
> GOV-15 | ||
> CPL-01 | ||
> CPL-01.2 | ||
> MON-01 | ||
> MON-16 | ||
> IRO-01 | ||
> IRO-10 | ||
> NET-08 | ||
> RSK-09 | ||
> SEA-01 | ||
> TDA-17.1 | ||
> TPM-01 | ||
> TPM-03 | ||
> TPM-03.1 | ||
> TPM-04 | ||
> TPM-05 | ||
> TPM-05.7 | ||
> TPM-08 | ||
> VPM-07.1 |
Binary file not shown.