Releases: securecontrolsframework/securecontrolsframework
SCF 2024.1.1
Version 2024.1.1 corrects the TSC 2017 mapping, which was cut off. That has been corrected.
Version 2024.1 represents a minor update.
- There are new controls.
- The SCF started utilizing Set Theory Relationship Mapping (STRM) per NIST IR 8477.
Added Mapping:
- NIST Cybersecurity Framework 2.0 (NIST CSF 2.0)
- NIST SP 800-207
- DoD Zero Trust Reference Architecture v2 (July 2022)
- Australia Essential 8
- China Cybersecurity Law (2017)
- Criminal Justice Information Services (CJIS) 5.9.3
- Trusted Internet Connections 3.0
- Digital Operational Resilience Act (DORA)
- FTC's Standards for Safeguarding Consumer Information (GLBA 2023)
- IEC TR 60601-4-5:2021
- ISO 42001:2024
- NIS 2 Directive
- NY DFS NYCRR500 (2023)
- SEC Cybersecurity Rule (2023)
- Spain Royal Decree 311/2022
- Space Attack Research & Tactic Analysis (SPARTA) Countermeasures
- Tennessee Information Protection Act
- Trust Services Criteria (TSC) 2017 with 2022 Points of Focus
New Controls:
- GOV-16: Materiality Determination
- GOV-16.1: Material Risks
- GOV-16.2: Material Threats
- GOV-17: Cybersecurity & Data Privacy Status Reporting
- AAT-12.1: Data Source Identification
- AAT-12.2: Data Source Integrity
- BCD-01.5: Recovery Operations Criteria
- BCD-01.6: Recovery Operations Communications
- BCD-13.1: Restoration Integrity Verification
- CAP-05: Elastic Expansion
- CAP-06: Regional Delivery
- CRY-12: Certificate Monitoring
- DCH-27: Data Rights Management (DRM)
- END-14.3: Participant Identity Verification
- END-14.4: Participant Connection Management
- END-14.5: Malicious Link & File Protections
- IAC-04.2: Device Authorization Enforcement
- IAC-13.3: Continuous Authentication
- NET-06.6: Microsegmentation
- NET-08.3: Host Containment
- NET-08.4: Resource Containment
- NET-18.4: Protocol Compliance Enforcement
- NET-18.5: Domain Name Verification
- NET-18.6: Internet Address Denylisting
- NET-18.7: Bandwidth Control
- NET-18.8: Authenticated Proxy
- NET-18.9: Certificate Denylisting
- NET-19: Content Disarm and Reconstruction (CDR)
- NET-20: Email Content Protections
- NET-20.1: Email Domain Reputation Protections
- NET-20.2: Sender Denylisting
- NET-20.3: Authenticated Received Chain (ARC)
- NET-20.4: Domain-Based Message Authentication Reporting and Conformance (DMARC)
- NET-20.5: User Digital Signatures for Outgoing Email
- NET-20.6: Encryption for Outgoing Email
- NET-20.7: Adaptive Email Protections
- NET-20.8: Email Labeling
- NET-20.9: User Threat Reporting
- PRI-18: Data Controller Communications
- SEA-04.4: System Privileges Isolation
- SEA-21: Application Container
- OPS-06: Security Orchestration, Automation, and Response (SOAR)
- OPS-07: Shadow Information Technology Detection
- THR-11: Behavioral Baselining
Control Wordsmithing:
- AAT-12
- CFG-02.2
- DCH-22
- NET-18
- PRI-01.3
- PRI-02
- RSK-01
- RSK-01.1
- TPM-05
Updated Mapping:
NIST SP 800-53 R5
- AST-08
- IAC-09.3
- TDA-06.2
- TDA-13
NIST 800-171 R2
- IAC-08
- IAC-15.1
DORA
- GOV-01
- GOV-01.2
- GOV-15
- CPL-01
- CPL-01.2
- MON-01
- MON-16
- IRO-01
- IRO-10
- NET-08
- RSK-09
- SEA-01
- TDA-17.1
- TPM-01
- TPM-03
- TPM-03.1
- TPM-04
- TPM-05
- TPM-05.7
- TPM-08
- VPM-07.1
SCF 2023.4
Version 2023.4 represents a minor update.
- There are new controls.
- Risk & threat models were updated.
Added Mapping:
- CIS CSC v8.0 IG1-IG3
- ISO/SAE 21434:2021 - Road vehicles — Cybersecurity engineering
- NIST SP 800-82 - Guide to Industrial Control Systems (ICS) Security Rev 3 (OT Overlay low, mod, high)
- NIST SP 800-171 R3 Final Public Draft (FPD)
- NIST 800-171A R3 Initial Public Draft (IPD)
- UN - UNECE WP.29
- US - 52.204-27 Prohibition on a ByteDance Covered Application
- Germany - Banking Supervisory Requirements for IT (BAIT)
- Australia - Prudential Standard CPS 230 - Operational Risk Management
New Controls:
- CLD-13: Hosted Systems, Applications & Services
- CLD-13.1: Authorized Individuals For Hosted Systems, Applications & Services
- CLD-13.2: Sensitive/Regulated Data On Hosted Systems, Applications & Services
- CLD-14: Prohibition On Unverified Hosted Systems, Applications & Services
- DCH-01.4: Defining Access Authorizations for Sensitive/Regulated Data
- IAC-20.7: Authorized System Accounts
- TPM-03.4: Adequate Supply
- WEB-14: Publicly Accessible Content Reviews
Renamed Controls:
- CPL-02 - Cybersecurity & Data Protection Controls Oversight
- CPL-03 - Cybersecurity & Data Protection Assessments
- CPL-03.2 - Functional Review Of Cybersecurity & Data Protection Controls
- DCH-09 - System Media Sanitization
- DCH-09.1 - System Media Sanitization Documentation
- IAC-02.2 - Replay-Resistant Authentication
- IAC-15.1 - Automated System Account Management (Directory Services)
- IAC-15.7 - System Account Reviews
Control Wordsmithing:
- AST-02.5 - Network Access Control (NAC)
- BCD-11.7 - Redundant Secondary System
- CPL-02 - Cybersecurity & Data Protection Controls Oversight
- CPL-03 - Cybersecurity & Data Protection Assessments
- CPL-03.1 - Independent Assessors
- CPL-03.2 - Functional Review Of Cybersecurity & Data Protection Controls
- CFG-03.4 - Split Tunneling
- MON-03 - Content of Event Logs
- DCH-09 - System Media Sanitization
- DCH-09.1 - System Media Sanitization Documentation
- DCH-14.3 - Data Access Mapping
- IAC-02.2 - Replay-Resistant Authentication
- IAC-15.1 - Automated System Account Management (Directory Services)
- IAC-15.7 - System Account Reviews
- VPM-06.5 - Review Historical Event Logs
New Threats:
- MT-14: Willful Criminal Conduct
- MT-15: Conflict of Interest (COI)
- MT-16: Macroeconomics
Updated Mapping:
NIST SP 800-53 R5
AST-03
AST-04.1
BCD-10.4
BCD-12.2
BCD-13
CLD-03
CFG-08
MON-07.1
MON-08.1
END-12
IAC-01.2
MNT-05.1
MNT-08
NET-06.5
NET-14.8
PES-05.2
SEA-07.2
SEA-07.3
SAT-03.2
TPM-03.4
- CIS 8.0
CRY-05
END-04
END-04.3
- DFARS
GOV-06
GOV-15.1
GOV-15.2
AST-17
CPL-01
CPL-01.1
DCH-01.2
END-04
IRO-04.1
IRO-08
IRO-10
IRO-10.2
IRO-10.4
IRO-12
IAO-02
SEA-02.1
TPM-01
TPM-01.1
TPM-05
TPM-05.2
SCF 2023.3.1
Version 2023.3.1 errata (minor corrections):
- AST-01- 2023.3.1 - added Article 21.2(i) for NIS 2 and 2.0 for CIS 8.0
- AST-02- 2023.3.1 - added 2.0 for CIS 8.0
- MON-02- 2023.3.1 - updated CIS 8.0 (typo correction for 12.1 to 13.1)
- IAC-01- 2023.3.1 - added Article 21.2(i) for NIS 2
Version 2023.3 represents a minor update.
Added Mapping:
- Australia Essential Eight
- Canada OSFI B-13
- Cybersecurity Maturity Model Certification (CMMC) 2.1 (draft release)
- EU-US Data Privacy Framework
- European Banking Authority (EBA) Guidelines on ICT and security risk management
- FedRAMP R5
- Kenya DPA 2019
- MITRE ATT&CK
- Nigeria DPR 2019
- NIS2
- NIST CSF v2.0 Initial Public Draft (IPD)
- NSTC NSPM-33
- PCI DSS Self-Assessment Questionnaires (SAQs)
- Qatar PDPPL
- Saudi Arabia SACS-002
- SEC Cybersecurity Rule
- Serbia 87/2018
- SWIFT CSF 2023
- UN R155
- UK CAP 1850
Wordsmithing controls:
- BCD-10.3 - Provider Continency Plan
- CHG-06 - Cybersecurity Functionality Verification
- PRI-15 - Register As A Data Controller and/or Data Processor
- RSK-01.3 - Risk Tolerance
- RSK-01.4 - Risk Threshold
- SEA-07.1 - Technology Lifecycle Management
- SAT-03 - Role-Based Cybersecurity & Data Privacy Training
- TDA-02.4 - Pre-Established Secure Configurations
- TDA-12 - Customized Development of Critical Components
- TDA-17 - Unsupported Systems
- TPM-04.3 - Conflict of Interests
Renamed controls:
- GOV-01 - Cybersecurity & Data Protection Governance Program
- GOV-03 - Periodic Review & Update of Cybersecurity & Data Protection Program
- CHG-02.3 - Cybersecurity & Data Privacy Representative for Asset Lifecycle Changes
- CPL-02 - Cybersecurity & Data Privacy Controls Oversight
- CPL-03 - Cybersecurity & Data Privacy Assessments
- CPL-03.2 - Functional Review Of Cybersecurity & Data Privacy Controls
- CRY-10 - Transmission of Cybersecurity & Data Privacy Attributes
- DCH-05 - Cybersecurity & Data Privacy Attributes
- DCH-23.6 - Differential Data Privacy
- HRS-13.2 - Identify Vital Cybersecurity & Data Privacy Staff
- HRS-13.3 - Establish Redundancy for Vital Cybersecurity & Data Privacy Staff
- IRO-02.4 - Incident Classification & Prioritization
- PRI-01.3 - Dissemination of Data Privacy Program Information
- PRI-07.1 - Data Privacy Requirements for Contractors & Service Providers
- PRI-14 - Data Privacy Records & Reporting
- PRI-15 - Register As A Data Controller and/or Data Processor
- PRI-17.1 - Conspicuous Link To Data Privacy Notice
- PRM-01 - Cybersecurity & Data Privacy Portfolio Management
- PRM-02 - Cybersecurity & Data Privacy Resource Management
- PRM-04 - Cybersecurity & Data Privacy In Project Management
- PRM-05 - Cybersecurity & Data Privacy Requirements Definition
- SAT-01 - Cybersecurity & Data Privacy-Minded Workforce
- SAT-02 - Cybersecurity & Data Privacy Awareness Training
- SAT-03 - Role-Based Cybersecurity & Data Privacy Training
- SAT-03.4 -Vendor Cybersecurity & Data Privacy Training
- SAT-03.7 -Continuing Professional Education (CPE) - Cybersecurity & Data Privacy Personnel
- SAT-04 - Cybersecurity & Data Privacy Training Records
- TDA-02.4 - Pre-Established Secure Configurations
- TDA-02.7 - Cybersecurity & Data Privacy Representatives For Product Changes
- TDA-09 - Cybersecurity & Data Privacy Testing Throughout Development
SCF 2023.2
Version 2023.2 represents a minor update. While there are no new controls, the Security & Privacy Capability Maturity Model (SP-CMM) was completely refreshed with new content.
Added Mapping:
- Safeguarding of Naval Nuclear Propulsion Information (NNPI)
- Trust Services Criteria 2017 (points of focus)
- UK Cyber Assessment Framework v3.1
Wordsmithing control:
- NET-08.1
- NET-08.2
Updated Mapping:
- NIST CSF 1.1
o AST-01
o AST-09
o CFG-01
o CHG-01
o CRY-01
o END-01
o IAC-10
o IRO-02
o IRO-04
o IRO-05
o MNT-01
o MON-02
o RSK-02
o RSK-09
o SEA-07
o TDA-01
o THR-01
o TPM-01
o TPM-03
o TPM-04
o VPM-03 - NIST SP 800-171
o AST-01
o AST-02.1
o AST-05
o CHG-01
o CLD-01
o CLD-02
o CLD-03
o CPL-02.1
o CPL-03
o CPL-03.1
o CFG-02
o CFG-03.2
o MON-02
o MON-03.1
o CRY-03
o CRY-04
o CRY-09
o DCH-03
o DCH-06
o DCH-13.1
o END-03
o HRS-05
o IAC-04
o IAC-08
o IAC-16
o IAC-16.1
o IAC-21.1
o IAC-21.3
o IAC-21.4
o IAC-24.1
o IRO-05
o IAO-02
o IAO-03.2
o MNT-04.1
o MDM-01
o MDM-06
o MDM-07
o NET-04.1
o NET-08
o NET-14
o NET-14.5
o NET-18
o PES-04
o PES-05
o PES-05.1
o PES-05.2
o PES-12
o PES-12.1
o PES-12.2
o SEA-03
o SEA-07
o SEA-18.1
o SEA-18.2
o SEA-20
o TDA-01
o TDA-08
o TPM-05
o TPM-05.2
o THR-01
o THR-03
o VPM-05
o VPM-06.3 - NIST SP 800-171A
o CRY-09
o DCH-03
o IAC-08 - CMMC
o AST-01
o AST-04.1
o CHG-01
o CPL-02.1
o CPL-03
o CPL-03.1
o CFG-02
o CFG-03.2
o MON-02
o MON-03.1
o CRY-03
o CRY-09
o DCH-03
o DCH-06
o DCH-13.1
o END-03
o IAC-04
o IAC-08
o IAC-16
o IAC-16.1
o IAC-21.1
o IAC-21.3
o IAC-21.4
o IAC-24.1
o IRO-05
o IAO-02
o IAO-03.2
o MNT-04.1
o MDM-01
o MDM-06
o MDM-07
o NET-08
o NET-14
o NET-14.5
o NET-18
o PES-04
o PES-05
o PES-05.1
o PES-05.2
o PES-12
o PES-12.1
o PES-12.2
o SEA-03
o SEA-18.1
o SEA-18.2
o SEA-20
o TDA-08
o TPM-05
o TPM-05.2
o THR-01
o THR-03
o VPM-05
o VPM-06.3 - NIST SP 800-53 R5
o AST-02.5
o CPL-03
o HRS-05
o TDA-01 - DFARS 252.204-7012
o TPM-05.2 - PCI DSS 3.2
o IAC-01 - ISO 27001
o NET-08.1 - ISO 27002
o IRO-11
o NET-08.1
o PRI-02
o PRI-02.1
o WEB-02 - COBIT 2019
o GOV-02
o GOV-05.1
o GOV-05.2
o IAO-04
o TDA-15
o VPM-04
o IAO-05 - TSC 2017
o GOV-15.1
o GOV-15.2 - CIS 8.0
o BCD-01
o CFG-01
o CFG-02
o CFG-02.1
SCF 2023.1
Version 2023.1 represents a major update, due to the inclusion of a new domain, as well as some other new content and minor refinements to improve readability. This version also includes a new Assessment Objectives (AOs) list that is intended to be used to help assess against controls to come to an objective determination if the intent of the control is or is not met.
Added Mapping:
- NIST Artificial Intelligence Risk Management Framework (AI RMF 1.0)
- Australia ISM December 2022
- CISA Cross-Sector Cybersecurity Performance Goals (CPG)
- EU Digital Operational Resilience Act (DORA)
- MPA Content Security Best Practices v5.1
- Spain - ICT Security Guide CCN-STIC 825
- Saudi Arabia - Operational Technology Cybersecurity Controls (OTCC -1: 2022)
- TSA / DHS Security Directive 1580/82-2022-01 (Rail Cybersecurity Mitigation Actions and Testing)
Updated Mapping:
- SCF-I (Cyber Insurance) baseline
- NIST SP 800-171A (Assessment Objectives)
- Virginia CDPA 2023 (numbering)
Threat Catalog:
- MT-12: Redundant, Obsolete/Outdated, Toxic or Trivial (ROT) Data
- MT-13: Artificial Intelligence & Autonomous Technologies (AAT)
Risk Catalog:
- R-AM-3: Emergent property and/or unintended consequences
Removed Mapping:
- MPA Content Security Best Practices v4.1
Added Controls:
- GOV-04.1
- GOV-04.2
- AAT-01
- AAT-01.1
- AAT-01.2
- AAT-01.3
- AAT-02
- AAT-02.1
- AAT-02.2
- AAT-03
- AAT-03.1
- AAT-04
- AAT-04.1
- AAT-04.2
- AAT-04.3
- AAT-04.4
- AAT-05
- AAT-06
- AAT-07
- AAT-07.1
- AAT-07.2
- AAT-07.3
- AAT-08
- AAT-09
- AAT-10
- AAT-10.1
- AAT-10.2
- AAT-10.3
- AAT-10.4
- AAT-10.5
- AAT-10.6
- AAT-10.7
- AAT-10.8
- AAT-10.9
- AAT-10.10
- AAT-10.11
- AAT-10.12
- AAT-10.13
- AAT-10.14
- AAT-11
- AAT-11.1
- AAT-11.2
- AAT-11.3
- AAT-11.4
- AAT-12
- AAT-13
- AAT-13.1
- AAT-14
- AAT-14.1
- AAT-14.2
- AAT-15
- AAT-15.1
- AAT-15.2
- AAT-16
- AAT-16.1
- AAT-16.2
- AAT-16.3
- AAT-16.4
- AAT-16.5
- AAT-16.6
- AAT-16.7
- AAT-17
- AAT-17.1
- AAT-17.2
- AAT-17.3
- AAT-18
- AAT-18.1
- AST-31
- AST-31.1
- BCD-11.9
- BCD-11.10
- BCD-16
- RSK-01.2
- RSK-01.3
- RSK-01.4
- RSK-09.2
- RSK-12
- TPM-05.7
Renamed:
- GOV-01
- GOV-01.1
- GOV-02
- GOV-03
- GOV-04
- DCH-18.1
- DCH-18.2
- MON-03
Updated Mapping:
- NIST SP 800-53 R5
o TPM-05 - NIST SP 800-171A
o GOV-02
o BCD-11.4
o CPL-02
o CFG-01
o CFG-03
o CFG-03.1
o CFG-05
o MON-01
o MON-01.3
o MON-01.8
o MON-02
o MON-02.1
o MON-03
o MON-03.2
o MON-03.7
o MON-07
o MON-07.1
o MON-10
o CRY-01
o CRY-01.1
o CRY-04
o CRY-05
o DCH-01
o DCH-03
o DCH-09
o DCH-10
o DCH-10.2
o END-01
o END-03.2
o END-04
o END-04.1
o END-04.7
o HRS-01
o HRS-05.1
o HRS-07
o HRS-08
o HRS-09
o IAC-02
o IAC-03
o IAC-05
o IAC-06.1
o IAC-06.2
o IAC-06.3
o IAC-10
o IAC-10.1
o IAC-15
o IAC-15.3
o IAC-20
o IAC-21.4
o IAC-21.5
o IRO-01
o IRO-10
o IAO-02
o IAO-03
o IAO-05
o MNT-02
o MNT-04
o MNT-04.2
o MNT-05
o MNT-06
o MDM-03
o NET-06
o NET-13
o PES-01
o PES-03
o PES-03.3
o PES-05.2
o PES-06
o SEA-01
o SAT-02
o SAT-03
o TDA-06
o THR-03
o VPM-01
o VPM-02
o VPM-05
o VPM-06
Control Wordsmithing:
- GOV-01.1
- BCD-11.1
- CLD-04
- CFG-02
- CRY-01.1
- DCH-04.1
- DCH-23.9
- IAC-09.2
- IAC-20.2
- IRO-02.6
- NET-02
- NET-10.1
- NET-15.1
- PES-06.3
- PES-18
- PRI-07
- PRI-07.1
- PRM-02
- RSK-02
- SEA-08.1
- VPM-06.7
SCF 2022.3
Version 2022.3 represents a minor update, where there is some new content and minor refinement of the risk catalog to standardize wording improve readability. This version also includes a new Evidence Request List (ERL) to help standardize naming for evidence artifacts.
Terminology Wordsmithing:
security and privacy controls > cybersecurity and privacy controls
security program > cybersecurity program
sensitive data > sensitive/regulated data
Added Mapping:
Australian Government Information Security Manual (ISM) September 2022
BSI Standard 200-1
California Privacy Rights Act (CPRA) - November 2022 version
Cybersecurity Capability Maturity Model (C2M2) v2.1
Illinois Biometric Information Privacy Act (PIPA)
Illinois Identity Protection Act (IPA)
ISO 27017:2015
ISO 27001:2022
Japan Information System Security Management and Assessment Program (ISMAP)
New Zealand NZISM 3.6
Shared Assessments SIG 2023
US Centers for Medicare & Medicaid Services MARS-E Document Suite, Version 2.0
Updated Mapping:
IRS Publication 1075
Removed Mapping:
Australian Government Information Security Manual (ISM) November 2020
California Consumer Privacy Act (CCPA)
APAC - New Zealand NZISM 3.4
Added Controls:
GOV-15 - Operationalizing Cybersecurity & Privacy Practices
GOV-15.1 - Select Controls
GOV-15.2 - Implement Controls
GOV-15.3 - Assess Controls
GOV-15.4 - Authorize Systems, Applications & Services
GOV-15.5 - Monitor Controls
BCD-15 - Reserve Hardware
CLD-01.1 - Cloud Infrastructure Onboarding
CLD-01.2 - Cloud Infrastructure Offboarding
CFG-08 - Sensitive / Regulated Data Access Enforcement
CFG-08.1 - Sensitive / Regulated Data Actions
MON-16.4 - Account Creation and Modification Logging
CRY-09.7 - External System Cryptographic Key Control
CRY-11 - Certificate Authorities
DCH-01.3 - Sensitive / Regulated Media Records
IAC-10.12 - Biometric Authentication
IAC-16.2 - Privileged Account Separation
IRO-04.3 - Continuous Incident Response Improvements
IAO-05.1 - Plan of Action & Milestones (POA&M) Automation
MNT-05.7 - Separation of Maintenance Sessions
NET-09.2 - Unique System-Generated Session Identifiers
NET-18.3 - Route Privileged Network Access
PRI-02.7 - Real-Time or Layered Notice
PRI-03.7 - Active Participation By Data Subjects
PRI-03.8 - Global Privacy Control (GPC)
PRI-04.5 - Validate Collected Personal Data
PRI-04.6 - Re-Validate Collected Personal Data
PRI-17 - Data Subject Communications
PRI-17.1 - Conspicuous Link To Privacy Notice
PRI-17.2 - Notice of Financial Incentive
TDA-02.7 - Security & Privacy Representatives For Product Changes
TDA-09.7 - Manual Code Review
TDA-14.2 - Hardware Integrity Verification
Renamed:
BCD-09.3 - Alternate Site Priority of Service
BCD-10.1 - Telecommunications Priority of Service Provisions
CHG-02.3 - Security & Privacy Representative for Asset Lifecycle Changes
CLD-03 - Cloud Infrastructure Security Subnet
IAO-03.2 - Adequate Security for Sensitive / Regulated Data In Support of Contracts
NET-03.1 - Limit Network Connections
PRI-03.3 - Prohibition Of Selling or Sharing Personal Data (PD)
PRI-03.6 - Authorized Agent
VPM-01.1 - Attack Surface Scope
Wordsmithed Control:
CHG-02.3
CLD-12
NET-03.1
PRI-01.5
PRI-03.3
RSK-08
RSK-10
VPM-01.1
Updated Existing Mappings:
CIS v8
o IRO-02
o IRO-04
o IRO-07
o IRO-09
o IRO-10
FCT Act Part 314
o GOV-01
ISO 27002:2013
o GOV-01
o GOV-01.1
o GOV-02
o GOV-09
o DCH-01
o HRS-03
o HRS-04
o HRS-05
o HRS-05.1
o HRS-05.4
o HRS-07
o IAC-01
o MDM-01
o RSK-01
NIST SP 800-53 R4
o MON-03
o MON-14
o DCH-13.2
o DCH-23
o IAC-06.4
o NET-17
o PRI-02.3
o PRI-02.4
o PRI-03.1
o PRI-06.4
o OPS-03
NIST SP 800-53 R5
o MON-14
o DCH-13.2
o IAC-06.4
o NET-17