Releases · securecontrolsframework/securecontrolsframework

Version 2026.1 represents a moderate update, based on:

New and updated Set Theory Relationship Mapping (STRM) for multiple laws, regulations and frameworks.
Updated maturity model criteria;
Updated “possible solutions & considerations” criteria; and
Proposed compensating controls (see the “SCF Overview & Practitioner Guidebook” for guidance on compensating controls - https://securecontrolsframework.com/content/SCF-Recommended-Practices.pdf)

Version 2025.4 represents a minor update, based on number of new and changed controls in the Secure Controls Framework (SCF). You can download the new version of the SCF and errata from:
 SCF https://securecontrolsframework.com/scf-download/
 Errata https://github.com/securecontrolsframework/securecontrolsframework/blob/main/SCF%202025.4%20Errata.txt

The Assessment Objectives (AOs) tab was enhanced to identify applicability for People, Process, Technology, Data or Facility (PPTDF) at the AO level. This helps organizations and service providers better understand the administrative, technical or physical nature of the requirements that need to be demonstrated for an AO to be met.

New laws, regulations and frameworks:
 APEC Privacy Framework 2015
 IMO Maritime Cyber Risk Management
 India SEBI CSCRF
 ISO 27701:2025
 ISO 29100:2024
 OECD Privacy Principles
 Shared Assessments SIG 2025
 HHS 45 CFR 155.260
 GovRAMP (formerly StateRAMP)
 CCPA 2025
 NV NOGE Reg 5
 VA CDPA 2025

Removed laws, regulations and frameworks:
 ISO 27001:2013
 ISO 27002:2013
 ISO 29100:2011
 NIST CSF 1.1
 PCI DSS 3.2
 Shared Assessments SIG 2023

New Controls:
 CPL-01.6 - Assessment Team Subject Matter Expertise
 CPL-12 - Statement of Applicability (SOA)
 PRI-01.11 - Reasonable Data Privacy Practices
 PRI-02.8 - Purpose Compatibility
 PRI-02.9 - Privacy Notice Formatting
 PRI-02.10 - Symmetry In Choice
 PRI-02.11 - Choice Architecture
 PRI-02.12 - Choice Architecture Testing
 PRI-02.13 - Notice of Right To Limit
 PRI-02.14 - Alternative Means To Deliver Privacy Notice
 PRI-03.12 - Data Subject Opt-In Consent
 PRI-03.13 - Parent or Guardian Opt-In Consent For Minors
 PRI-06.8 - Data Subject Authentication
 PRI-17.3 - Data Subject Communications Documentation
 PRI-17.4 - Data Subject Communications Metrics
 PRI-17.5 - Data Subject Communications Disclosure
 PRI-19 - Automated Decision-Making Technology (ADMT) For Data Subject Actions
 PRI-19.1 - Automated Decision-Making Technology (ADMT) Use Notification
 PRI-19.2 - Automated Decision-Making Technology (ADMT) Opt-Out Consent
 PRI-19.3 - Automated Decision-Making Technology (ADMT) Transparency
 PRI-20 - Data Brokers
 PRI-21 - Notice of Right To Opt-Out
 PRI-21.1 - Opt-Out Links
 PRI-21.2 - Alternative Out-Out Link
 RSK-04.3 - Instances Requiring A Risk Assessment
 RSK-04.4 - Risk Assessment Stakeholder Involvement
 RSK-06.3 - Risk Treatment Options
 RSK-06.4 - Risk Treatment Plan
 RSK-13 - Executive Leadership Approval For Managing Material Risk
 RSK-13.1 - Documented Alternatives
 RSK-13.2 - Documented Justification For Material Risk Management Decisions

Renamed Controls:
 PRI-10.1 - Data Quality Automation
 PRI-12 - Updating Personal Data (PD) Process

Wordsmithed Controls:
 DCH-01.2
 MNT-10
 PRI-01.4
 PRI-01.8
 PRI-01.9
 PRI-02
 PRI-02.1
 PRI-02.2
 PRI-03
 PRI-03.1
 PRI-03.2
 PRI-03.4
 PRI-03.9
 PRI-03.10
 PRI-04.1
 PRI-05.4
 PRI-05.5
 PRI-06
 PRI-06.2
 PRI-06.4
 PRI-09
 PRI-12
 PRI-14

Updated
 DORA
o SEA-02
o SEA-03

 CMMC Level 2
o CFG-02
o CFG-02.9
o MON-01
o MON-01.16
o MON-11.3
o MON-16
o CRY-01.1
o CRY-05
o DCH-01.2
o HRS-01.1
o HRS-04.1
o HRS-04.2
o IAC-06
o IRO-03
o MNT-04.1
o MNT-05.4
o SAT-03.6
o THR-03
o VPM-04

 NIS2
o SEA-02
o SEA-03

 NIST 800-171 R2
o CLD-01
o CLD-02
o CFG-02.9
o MON-01
o MON-01.16
o MON-11.3
o MON-16
o CRY-01.1
o CRY-05
o DCH-01.2
o HRS-01.1
o HRS-04.1
o HRS-04.2
o IAC-06
o IRO-03
o MNT-04.1
o MNT-05.4
o SAT-03.6
o THR-03
o VPM-04

Version 2025.3.1 makes minor edits for CMMC L1 to reflect the numbering format change.

Version 2025.3 represents a major update, based on number of new and changed controls in the Secure Controls Framework (SCF). There are many new controls in SCF 2025.2 and the majority of the new controls are focused on the governance of Artificial Intelligence (AI), but are sourced from SCF Community Derived Content, a volunteer initiative to address existing risks that organizations face, but there is a lack of a law, regulation or industry-recognized standard that supports a certain action. The SCF took the lead on organizing Subject Matter Experts (SMEs) to develop, compile and edit recommendations from the industry.

You can download the new version of the SCF and errata from:
 SCF https://securecontrolsframework.com/scf-download/
 Errata https://github.com/securecontrolsframework/securecontrolsframework/blob/main/SCF%202025.3%20Errata.txt

Added new control sets:
 Conformity Validation Cadence (CVC)
 SCF CORE Community Derived
 SCF CORE ESP Level 1 Foundational
 SCF CORE ESP Level 2 Critical Infrastructure
 SCF CORE ESP Level 3 Advanced Threats
 SCF CORE AI-Enabled Operations
 SCF CORE AI Model Deployment

Added / Updated Set Theory Relationship Mappings (STRM) for:
 Texas SB 2610

New Controls:
 GOV-19 - Assurance
 GOV-19.1 - Assurance Levels (AL)
 GOV-19.2 - Assessment Objectives (AO)
 GOV-20 - Mergers, Acquisitions & Divestitures (MA&D)
 GOV-20.1 - Virtual Data Room (VDR)
 AAT-01.4 - AI Model & Agent Inventory & Lifecycle Management
 AAT-02.4 - AI Threat Modeling & Risk Assessment
 AAT-03.2 - Model & AI Agent Documentation
 AAT-10.19 - AI TEVV Third-Party Risk Management
 AAT-16.11 - Anomaly Detection & Human Oversight
 AAT-16.12 - Human-in-the-Loop & Escalation
 AAT-16.13 - Emergent Behavior & Collusion Protections
 AAT-16.14 - Multi-Agent Trust & Communication Validation
 AAT-28 - AI Model Resilience
 AAT-28.1 - Model Pollution
 AAT-28.2 - Cascading Hallucination Defense
 AAT-28.3 - Resource Exhaustion & DoS Resilience
 AAT-29 - AI Agent Governance
 AAT-29.1 - Infrastructure Hardening & Isolation
 AAT-29.2 - AI Agent Limitations
 AAT-29.3 - Tool & API Invocation Controls
 AAT-29.4 - Orchestration Protocol Safeguards
 AAT-29.5 - Data Pipeline & Input Integrity
 AAT-29.6 - Privileged Role & Delegation Boundaries
 AAT-29.7 - AI Agent Data Access Restrictions
 AAT-29.8 - Data Extraction
 AAT-29.9 - AI Agent Identity & Impersonation Defense
 AAT-29.10 - AI Agent Logic Integrity
 AAT-29.11 - Sandboxing AI Agents
 AAT-29.12 - Prompt Injection Defense
 AAT-29.13 - Agent Kill Switch / User Control
 AAT-29.14 - Adversarial & Red Team Testing
 AAT-29.15 - Self-Modification Controls
 AAT-29.16 - Purging AI Agent Data
 AAT-29.17 - Delegation and Chaining Control
 AAT-29.18 - Behavioral Drift Detection
 AAT-29.19 - AI Agent Action Authentication & Authorization
 AAT-29.20 - Transparency & Audit
 AAT-29.21 - Explainability
 AAT-29.22 - Ethics, Fairness & Bias Detection
 AAT-29.23 - Agent Output Integrity & Verification
 AAT-30 - Agentic Output Traceability & Repudiation
 AAT-30.1 - AI Agent Logging
 AAT-30.2 - Session Management
 AAT-31 - Human-in-the-Loop Workload & Manipulation
 AAT-32 - Robotic Process Automation (RPA)
 AAT-32.1 - Business Process Task Enumeration
 AST-31.3 - Asset Attributes
 AST-32 - Automated Network Asset Discovery
 CLD-04.1 - API Gateway
 CLD-15 - Software Defined Storage (SDS)
 CPL-03.4 - Assessment Methods
 CPL-03.5 - Assessment Rigor
 CPL-03.6 - Evidence Request List (ERL)
 CPL-03.7 - Evidence Sampling
 CPL-09 - Control Reciprocity
 CPL-10 - Control Inheritance
 CPL-11 - Dual Use Technology
 CPL-11.1 - USML or CCL Identification
 CPL-11.2 - Export-Controlled Access Restrictions
 CPL-11.3 - Export Activities Documentation
 MON-18 - File Activity Monitoring (FAM)
 CRY-13 - Cryptographic Hash
 END-01.1 - Unified Endpoint Device Management (UEDM)
 END-06.8 - Extended Detection & Response (XDR)
 HRS-07.3 - Preventative Access Restriction
 IAC-06.5 - Alternative Multi-Factor Authentication
 IAC-10.14 - Passkeys
 IAC-16.3 - Privileged Command Execution
 IAC-16.4 - Dedicated Privileged Account
 IAC-29.1 - Real-Time Access Decisions
 IAC-29.2 - Access Profile Rules
 PRM-02.1 - Prioritization To Address Evolving Risks & Threats
 SEA-01.3 - Resilience Capabilities
 SEA-22 - Privileged Environments
 TDA-02.14 - Logging Syntax
 TDA-06.6 - Software Design Root Cause Analysis
 TDA-20.4 - Approved Code

Renamed Controls:
 GOV-15.4 - Authorize Technology Assets, Applications and/or Services (TAAS)
 GOV-17 - Cybersecurity & Data Protection Status Reporting
 AST-15.1 - Technology Asset Inspections
 BCD-11.3 - Recovery Images
 BCD-12 - Technology Assets, Applications and/or Services (TAAS) Recovery & Reconstitution
 CHG-02.3 - Cybersecurity & Data Protection Representative for Asset Lifecycle Changes
 CLD-04 - Application Programming Interface (API) Security
 CFG-02 - Secure Baseline Configurations
 CRY-10 - Transmission of Cybersecurity & Data Protection Attributes
 DCH-05 - Cybersecurity & Data Protection Attributes
 DCH-13 - Use of External Technology Assets, Applications and/or Services (TAAS)
 DCH-13.3 - Protecting Sensitive / Regulated Data on External Technology Assets, Applications and/or Services (TAAS)
 DCH-13.4 - Non-Organizationally Owned Technology Assets, Applications and/or Services (TAAS)
 HRS-06.2 - Post-Employment Requirements Awareness
 HRS-09.3 - Post-Employment Requirements Notification
 IAC-05 - Identification & Authentication for Third-Party Technology Assets, Applications and/or Services (TAAS)
 IAC-10.9 - Multiple System Accounts
 IAC-21.3 - Management Approval For Privileged Accounts
 IRO-02.6 - Automatic Disabling of Technology Assets, Applications and/or Services (TAAS)
 MDM-11 - Restricting Access To Authorized Technology Assets, Applications and/or Services (TAAS)
 PES-01.1 - Physical Security Plan (PSP)
 PRM-01 - Cybersecurity & Data Protection Portfolio Management
 PRM-02 - Cybersecurity & Data Protection Resource Management
 PRM-04 - Cybersecurity & Data Protection In Project Management
 PRM-05 - Cybersecurity & Data Protection Requirements Definition
 SEA-01.1 - Centralized Management of Cybersecurity & Data Protection Controls
 SAT-01 - Cybersecurity & Data Protection-Minded Workforce
 SAT-02 - Cybersecurity & Data Protection Awareness Training
 SAT-03 - Role-Based Cybersecurity & Data Protection Training
 SAT-03.4 - Vendor Cybersecurity & Data Protection Training
 SAT-03.7 - Continuing Professional Education (CPE) - Cybersecurity & Data Protection Personnel
 SAT-04 - Cybersecurity & Data Protection Training Records
 TDA-09 - Cybersecurity & Data Protection Testing Throughout Development
 TDA-17 - Unsupported Technology Assets, Applications and/or Services (TAAS)

Wordsmithed Controls:
 GOV-05
 GOV-05.1
 GOV-05.2
 GOV-11
 GOV-13
 GOV-14
 GOV-15
 GOV-15.1
 GOV-15.2
 GOV-15.3
 GOV-15.4
 GOV-15.5
 GOV-17
 AAT-02.2
 AAT-24
 AST-01.1
 AST-01.2
 AST-01.3
 AST-02
 AST-02.8
 AST-03.2
 AST-04.1
 AST-04.2
 AST-04.3
 AST-06
 AST-12
 AST-15
 AST-17
 AST-26
 AST-30
 AST-31
 BCD-01
 BCD-02
 BCD-06.1
 BCD-11.7
 BCD-12
 BCD-12.1
 BCD-12.2
 BCD-12.4
 CAP-02
 CAP-04
 CAP-05
 CAP-06
 CHG-02.3
 CHG-04.3
 CHG-06
 CHG-06.1
 CLD-01.1
 CLD-04
 CLD-07
 CLD-13
 CLD-13.1
 CLD-13.2
 CLD-14
 CPL-01.2
 CPL-03.1
 CPL-03.2
 CPL-05.2
 CPL-06
 CFG-02
 CFG-02.2
 CFG-02.5
 CFG-06
 CFG-08
 MON-01.4
 MON-01.7
 MON-01.11
 MON-02.5
 MON-02.8
 MON-02.9
 MON-03
 MON-03.6
 MON-07
 MON-16
 CRY-10
 DCH-02.1
 DCH-03.3
 DCH-05
 DCH-05.1
 DCH-05.2
 DCH-05.3
 DCH-05.4
 DCH-05.5
 DCH-05.6
 DCH-05.7
 DCH-05.8
 DCH-05.10
 DCH-05.11
 DCH-10.2
 DCH-11
 DCH-13
 DCH-13.1
 DCH-13.3
 DCH-13.4
 DCH-14.1
 DCH-14.2
 DCH-24.1
 EMB-02
 EMB-03
 END-01
 END-03.2
 END-04.1
 END-05
 END-06.5
 END-06.6
 END-14.1
 HRS-02.1
 HRS-05
 HRS-05.3
 HRS-05.7
 HRS-06.2
 HRS-08
 HRS-09.2
 HRS-09.3
 HRS-10
 HRS-12.1
 HRS-13
 IAC-01.3
 IAC-05
 IAC-06
 IAC-08
 IAC-09
 IAC-10.9
 IAC-13.1
 IAC-16
 IAC-20.2
 IAC-20.7
 IAC-21.6
 IRO-01
 IRO-02.3
 IRO-02.6
 IRO-07
 IRO-09
 IRO-09.1
 IRO-10.1
 IRO-10.3
 IRO-10.4
 IRO-10.5
 IRO-11
 IRO-12.3
 IRO-13
 IAO-01
 IAO-01.1
 IAO-02
 IAO-02.1
 IAO-03
 IAO-06
 IAO-07
 MNT-02
 MNT-03
 MNT-03.1
 MNT-03.2
 MNT-04.3
 MNT-05.6
 MNT-06.2
 MDM-02
 MDM-06
 MDM-11
 NET-03.1
 NET-03.7
 NET-04.13
 NET-05
 NET-06
 NET-14.5
 NET-14.7
 NET-16
 NET-18.9
 PES-01.1
 PES-03.4
 PES-05.2
 PES-07.6
 PES-08.3
 PES-18
 PRI-05.5
 PRM-01
 PRM-01.1
 PRM-02
 PRM-03
 PRM-04
 PRM-05
 PRM-06
 PRM-07
 PRM-08
 RSK-02
 RSK-02.1
 RSK-04
 RSK-06.1
 RSK-09
 RSK-09.1
 RSK-10
 RSK-11
 SEA-01
 SEA-01.1
 SEA-01.2
 SEA-02
 SEA-07.1
 SEA-08.1
 SEA-14
 SEA-18
 SEA-18.1
 OPS-05
 OPS-07
 SAT-01
 SAT-02
 SAT-03
 SAT-03.1
 SAT-03.4
 SAT-03.6
 SAT-03.7
 SAT-04
 TDA-01.1
 TDA-01.4
 TDA-02
 TDA-02.1
 TDA-02.4
 TDA-02.8
 TDA-02.9
 TDA-02.10
 TDA-02.13
 TDA-03.1
 TDA-04
 TDA-04.1
 TDA-04.2
 TDA-05
 TDA-06.1
 TDA-06.3
 TDA-06.5
 TDA-08
 TDA-08.1
 TDA-09
 TDA-09.1
 TDA-09.2
 TDA-09.3
 TDA-09.4
 TDA-09.5
 TDA-09.6
 TDA-09.7
 TDA-10.1
 TDA-13
 TDA-14.1
 TDA-14.2
 TDA-16
 TDA-17
 TDA-17.1
 TDA-21
 TDA-22
 TDA-22.1
 TPM-...

Version 2025.2.2 is a minor update that is released to announce the new SCF Cybersecurity Oversight, Resilience and Enablement (CORE) baselines:

SCF CORE Fundamentals
SCF CORE MA&D (Mergers, Acquisitions & Divestitures)

There are also a few minor updates to existing controls in the 2025.2.2 release:

Corrects the addition of New Zealand HISF 2022 mapping:

TPM-01
TPM-04.1
TPM-05
TPM-08

CMMC 2.0 Level 2 (updated mappings to correspond to NIST 800-171 R2 STRM)

CLD-06
CLD-10
CFG-02.1
IAC-15.1
NET-02.2
PES-06.1
WEB-02
WEB-04

Renamed Control

HRS-06.2
HRS-09.3

Wordsmithed Control

HRS-06.2
HRS-09.3
IAC-01.3
NET-06

Removes mapping for:

UK GDPR (redundant with STRM for EU GDPR mapping)

Version 2025.2.1 corrects a few items in the AAT domain due to a correction in the Set Theory Relationship Mapping (STRM) for NIST AI 600-1 and the EU AI Act:

EI AI Act changes:

AAT-22
AAT-22.3
AAT-22.4

NIST AI 600-1 changes:

AAT-06
AAT-10
AAT-24
AAT-26
AAT-26.1
TDA-22

Version 2025.2 represents a major update, based on number of new and changed controls in the Secure Controls Framework (SCF). There are seventy-nine (79) new controls in SCF 2025.2 and the majority of the new controls are focused on the governance of Artificial Intelligence (AI).

You can download the new version of the SCF and errata from:
 SCF https://securecontrolsframework.com/scf-download/
 Errata https://securecontrolsframework.com/errata/

Added / Updated Set Theory Relationship Mappings (STRM) for:
 EU Artificial Intelligence (AI)I Act (Regulation (EU) 2024/1689)
 EU Cyber Resilience Act
 EU Cyber Resilience Act - Annexes
 ENISA NIS2 Annex
 Farm Credit Administration (FCA) Cyber Risk Management
 NAIC Insurance Data Security Model Law 668
 NERC CIP (2024)
 NIST AI 100-1 (AI Risk Management Framework)
 NIST AI 600-1 (NIST Trustworthy and Responsible AI)
 NIST SP 800-171 R3
 NIST SP 800-171A R3
 NIST SP 800-218 v1.1
 NZ Health Information Security Framework (2022)
 HISO 10029:2024 NZ Health Information Security Framework Guidance for Suppliers

Removed SCF mappings to:
 South Carolina Insurance Data Security Act (directly maps to NAIC Insurance Data Security Model Law 668)

New controls:
 GOV-01.3 - Commitment To Continual Improvements
 GOV-18 - Quality Management System (QMS)
 AAT-02.3 - Adequate Protections For AI & Autonomous Technologies
 AAT-09.1 - AI & Autonomous Technologies High Risk Designations
 AAT-10.15 - AI TEVV Reporting
 AAT-10.16 - AI TEVV Empirically Validated Methods
 AAT-10.17 - AI TEVV Benchmarking Content Provenance
 AAT-10.18 - AI TEVV Model Collapse Mitigations
 AAT-12.3 - Data Source Lineage & Origin Disclosure
 AAT-12.4 - Digital Content Modification Logging
 AAT-16.8 - AI & Autonomous Technologies Event Logging
 AAT-16.9 - Serious Incident Reporting For AI & Autonomous Technologies
 AAT-16.10 - Serious Incident Root Cause Analysis (RCA) For AI & Autonomous Technologies
 AAT-17.4 - Novel Risk Assessment Methods & Technologies
 AAT-17.5 - Fine Tuning Risk Mitigation
 AAT-19 - AI & Autonomous Technologies Conformity
 AAT-19.1 - Manipulative or Deceptive Techniques
 AAT-19.2 - Materially Distorting Behaviors
 AAT-19.3 - Social Scoring
 AAT-19.4 - Detrimental or Unfavorable Treatment
 AAT-19.5 - Risk and Criminal Profiling
 AAT-19.6 - Populating Facial Recognition Databases
 AAT-19.7 - Emotion Inference
 AAT-19.8 - Biometric Categorization
 AAT-20 - AI & Autonomous Technologies Development Practices
 AAT-20.1 - AI & Autonomous Technologies Transparency
 AAT-20.2 - AI & Autonomous Technologies Implementation Documentation
 AAT-20.3 - AI & Autonomous Technologies Human Domain Knowledge Reliance
 AAT-21 - AI & Autonomous Technologies Registration
 AAT-22 - AI & Autonomous Technologies Deployment
 AAT-22.1 - AI & Autonomous Technologies Human Oversight
 AAT-22.2 - AI & Autonomous Technologies Oversight Measures
 AAT-22.3 - AI & Autonomous Technologies Separate Verification
 AAT-22.4 - AI & Autonomous Technologies Oversight Functions Competency
 AAT-22.5 - AI & Autonomous Technologies Data Relevance
 AAT-22.6 - AI & Autonomous Technologies Irregularity Reporting
 AAT-22.7 - AI & Autonomous Technologies Use Notification To Employees
 AAT-22.8 - AI & Autonomous Technologies Use Notification To Users
 AAT-23 - AI & Autonomous Technologies Output Marking
 AAT-24 - Real World Testing of AI & Autonomous Technologies
 AAT-25 - AI & Autonomous Technologies System Value Chain
 AAT-25.1 - AI & Autonomous Technologies System Value Chain Fallbacks
 AAT-26 - AI & Autonomous Technologies Testing Techniques
 AAT-26.1 - Generative Artificial Intelligence (GAI) Identification
 AAT-26.2 - AI & Autonomous Technologies Capabilities Testing
 AAT-26.3 - Real-World Testing
 AAT-26.4 - Documenting Testing Guidance
 AAT-27 - AI & Autonomous Technologies Output Filtering
 AAT-27.1 - Human Moderation
 AST-31.2 - High-Risk Asset Categorization
 BCD-06.1 - Contingency Planning Components
 BCD-06.2 - Contingency Plan Update Notifications
 CHG-07 - Emergency Changes
 CHG-07.1 - Documenting Emergency Changes
 CPL-01.4 - Conformity Assessment
 CPL-01.5 - Declaration of Conformity
 CPL-02.3 - Corrective Action
 CPL-03.3 - Assessor Access
 CPL-08 - Localized Representation
 CPL-08.1 - Representative Powers
 MON-02.9 - Inventory of Technology Asset Event Logging
 HRS-07.2 - Updating Disciplinary Processes
 IAC-10.13 - Events Requiring Authenticator Change
 IRO-09.2 - Recurring Incident Analysis
 IRO-10.5 - Serious Incident Reporting
 RSK-04.2 - Risk Assessment Methodology
 SAT-01.1 - Maintaining Workforce Development Relevancy
 TDA-02.8 - Minimizing Attack Surfaces
 TDA-02.9 - Ongoing Product Security Support
 TDA-02.10 - Product Testing & Reviews
 TDA-02.11 - Disclosure of Vulnerabilities
 TDA-02.12 - Products With Digital Elements
 TDA-02.13 - Reporting Exploitable Vulnerabilities
 TDA-21 - Product Conformity Governance
 TDA-22 - Technical Documentation Artifacts
 TDA-22.1 - Product-Specific Risk Assessment Artifacts
 VPM-04.3 - Deferred Patching Decisions
 VPM-05.8 - Software Patch Integrity

Renamed controls:
 AAT-07.1 - AI & Autonomous Technologies Impact Assessment
 HRS-05.3 - Technology Use Restrictions
 IRO-12 - Sensitive / Regulated Data Spill Response
 IRO-12.1 - Sensitive / Regulated Data Spill Responsible Personnel
 IRO-12.2 - Sensitive / Regulated Data Spill Training
 IRO-12.3 - Post-Sensitive / Regulated Data Spill Operations
 IRO-12.4 - Sensitive / Regulated Data Exposure to Unauthorized Personnel
 TDA-06 - Secure Software Development Practices (SSDP)
 TPM-03 - Supply Chain Risk Management (SCRM)

Wordsmithed controls:
 GOV-03 - Periodic Review & Update of Cybersecurity & Data Protection Program
 AAT-07.1 - AI & Autonomous Technologies Impact Assessment
 AAT-08 - Assigned Responsibilities for AI & Autonomous Technologies
 AAT-09 - AI & Autonomous Technologies Risk Profiling
 AAT-10 - Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV)
 AAT-10.3 - AI TEVV Trustworthiness Demonstration
 AAT-16.7 - Pre-Trained AI & Autonomous Technologies Models
 BCD-06 - Ongoing Contingency Planning
 CPL-03 - Cybersecurity & Data Protection Assessments
 HRS-04.2 - Formal Indoctrination
 HRS-05.3 - Technology Use Restrictions
 HRS-15 - Reporting Suspicious Activities
 IAC-10 - Authenticator Management
 IRO-12 - Sensitive / Regulated Data Spill Response
 IRO-12.1 - Sensitive / Regulated Data Spill Responsible Personnel
 IRO-12.2 - Sensitive / Regulated Data Spill Training
 IRO-12.3 - Post-Sensitive / Regulated Data Spill Operations
 IRO-12.4 - Sensitive / Regulated Data Exposure to Unauthorized Personnel
 TDA-01.1 - Product Management
 TDA-02 - Minimum Viable Product (MVP) Security Requirements
 TDA-06 - Secure Software Development Practices (SSDP)
 TPM-03 - Supply Chain Risk Management (SCRM)

Updating mappings:
 Canada ITSP-10-171
o HRS-04
o HRS-05.1
o IAC-02
o IAC-25
 CISA SSDAF
o AST-03.2
o TDA-04.2
 NIST 800-171 R3
o HRS-04
o HRS-05.1
o IAC-02
o IAC-25
 NIST 800-171A R3
o HRS-04
o IAC-02
o TDA-02.3

Version 2025.2 represents a major update, based on number of new and changed controls in the Secure Controls Framework (SCF). There are seventy-nine (79) new controls in SCF 2025.2 and the majority of the new controls are focused on the governance of Artificial Intelligence (AI) and the majority of the new controls are focused on the governance of Artificial Intelligence (AI).

You can download the new version of the SCF and errata from:
 SCF https://securecontrolsframework.com/scf-download/
 Errata https://securecontrolsframework.com/errata/

Added / Updated Set Theory Relationship Mappings (STRM) for:
 EU Artificial Intelligence (AI)I Act (Regulation (EU) 2024/1689)
 EU Cyber Resilience Act
 EU Cyber Resilience Act - Annexes
 ENISA NIS2 Annex
 Farm Credit Administration (FCA) Cyber Risk Management
 NAIC Insurance Data Security Model Law 668
 NERC CIP (2024)
 NIST AI 100-1 (AI Risk Management Framework)
 NIST AI 600-1 (NIST Trustworthy and Responsible AI)
 NIST SP 800-171 R3
 NIST SP 800-171A R3
 NIST SP 800-218 v1.1
 NZ Health Information Security Framework (2022)
 HISO 10029:2024 NZ Health Information Security Framework Guidance for Suppliers

Removed SCF mappings to:
 South Carolina Insurance Data Security Act (directly maps to NAIC Insurance Data Security Model Law 668)

New controls:
 GOV-01.3 - Commitment To Continual Improvements
 GOV-18 - Quality Management System (QMS)
 AAT-02.3 - Adequate Protections For AI & Autonomous Technologies
 AAT-09.1 - AI & Autonomous Technologies High Risk Designations
 AAT-10.15 - AI TEVV Reporting
 AAT-10.16 - AI TEVV Empirically Validated Methods
 AAT-10.17 - AI TEVV Benchmarking Content Provenance
 AAT-10.18 - AI TEVV Model Collapse Mitigations
 AAT-12.3 - Data Source Lineage & Origin Disclosure
 AAT-12.4 - Digital Content Modification Logging
 AAT-16.8 - AI & Autonomous Technologies Event Logging
 AAT-16.9 - Serious Incident Reporting For AI & Autonomous Technologies
 AAT-16.10 - Serious Incident Root Cause Analysis (RCA) For AI & Autonomous Technologies
 AAT-17.4 - Novel Risk Assessment Methods & Technologies
 AAT-17.5 - Fine Tuning Risk Mitigation
 AAT-19 - AI & Autonomous Technologies Conformity
 AAT-19.1 - Manipulative or Deceptive Techniques
 AAT-19.2 - Materially Distorting Behaviors
 AAT-19.3 - Social Scoring
 AAT-19.4 - Detrimental or Unfavorable Treatment
 AAT-19.5 - Risk and Criminal Profiling
 AAT-19.6 - Populating Facial Recognition Databases
 AAT-19.7 - Emotion Inference
 AAT-19.8 - Biometric Categorization
 AAT-20 - AI & Autonomous Technologies Development Practices
 AAT-20.1 - AI & Autonomous Technologies Transparency
 AAT-20.2 - AI & Autonomous Technologies Implementation Documentation
 AAT-20.3 - AI & Autonomous Technologies Human Domain Knowledge Reliance
 AAT-21 - AI & Autonomous Technologies Registration
 AAT-22 - AI & Autonomous Technologies Deployment
 AAT-22.1 - AI & Autonomous Technologies Human Oversight
 AAT-22.2 - AI & Autonomous Technologies Oversight Measures
 AAT-22.3 - AI & Autonomous Technologies Separate Verification
 AAT-22.4 - AI & Autonomous Technologies Oversight Functions Competency
 AAT-22.5 - AI & Autonomous Technologies Data Relevance
 AAT-22.6 - AI & Autonomous Technologies Irregularity Reporting
 AAT-22.7 - AI & Autonomous Technologies Use Notification To Employees
 AAT-22.8 - AI & Autonomous Technologies Use Notification To Users
 AAT-23 - AI & Autonomous Technologies Output Marking
 AAT-24 - Real World Testing of AI & Autonomous Technologies
 AAT-25 - AI & Autonomous Technologies System Value Chain
 AAT-25.1 - AI & Autonomous Technologies System Value Chain Fallbacks
 AAT-26 - AI & Autonomous Technologies Testing Techniques
 AAT-26.1 - Generative Artificial Intelligence (GAI) Identification
 AAT-26.2 - AI & Autonomous Technologies Capabilities Testing
 AAT-26.3 - Real-World Testing
 AAT-26.4 - Documenting Testing Guidance
 AAT-27 - AI & Autonomous Technologies Output Filtering
 AAT-27.1 - Human Moderation
 AST-31.2 - High-Risk Asset Categorization
 BCD-06.1 - Contingency Planning Components
 BCD-06.2 - Contingency Plan Update Notifications
 CHG-07 - Emergency Changes
 CHG-07.1 - Documenting Emergency Changes
 CPL-01.4 - Conformity Assessment
 CPL-01.5 - Declaration of Conformity
 CPL-02.3 - Corrective Action
 CPL-03.3 - Assessor Access
 CPL-08 - Localized Representation
 CPL-08.1 - Representative Powers
 MON-02.9 - Inventory of Technology Asset Event Logging
 HRS-07.2 - Updating Disciplinary Processes
 IAC-10.13 - Events Requiring Authenticator Change
 IRO-09.2 - Recurring Incident Analysis
 IRO-10.5 - Serious Incident Reporting
 RSK-04.2 - Risk Assessment Methodology
 SAT-01.1 - Maintaining Workforce Development Relevancy
 TDA-02.8 - Minimizing Attack Surfaces
 TDA-02.9 - Ongoing Product Security Support
 TDA-02.10 - Product Testing & Reviews
 TDA-02.11 - Disclosure of Vulnerabilities
 TDA-02.12 - Products With Digital Elements
 TDA-02.13 - Reporting Exploitable Vulnerabilities
 TDA-21 - Product Conformity Governance
 TDA-22 - Technical Documentation Artifacts
 TDA-22.1 - Product-Specific Risk Assessment Artifacts
 VPM-04.3 - Deferred Patching Decisions
 VPM-05.8 - Software Patch Integrity

Renamed controls:
 AAT-07.1 - AI & Autonomous Technologies Impact Assessment
 HRS-05.3 - Technology Use Restrictions
 IRO-12 - Sensitive / Regulated Data Spill Response
 IRO-12.1 - Sensitive / Regulated Data Spill Responsible Personnel
 IRO-12.2 - Sensitive / Regulated Data Spill Training
 IRO-12.3 - Post-Sensitive / Regulated Data Spill Operations
 IRO-12.4 - Sensitive / Regulated Data Exposure to Unauthorized Personnel
 TDA-06 - Secure Software Development Practices (SSDP)
 TPM-03 - Supply Chain Risk Management (SCRM)

Wordsmithed controls:
 GOV-03 - Periodic Review & Update of Cybersecurity & Data Protection Program
 AAT-07.1 - AI & Autonomous Technologies Impact Assessment
 AAT-08 - Assigned Responsibilities for AI & Autonomous Technologies
 AAT-09 - AI & Autonomous Technologies Risk Profiling
 AAT-10 - Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV)
 AAT-10.3 - AI TEVV Trustworthiness Demonstration
 AAT-16.7 - Pre-Trained AI & Autonomous Technologies Models
 BCD-06 - Ongoing Contingency Planning
 CPL-03 - Cybersecurity & Data Protection Assessments
 HRS-04.2 - Formal Indoctrination
 HRS-05.3 - Technology Use Restrictions
 HRS-15 - Reporting Suspicious Activities
 IAC-10 - Authenticator Management
 IRO-12 - Sensitive / Regulated Data Spill Response
 IRO-12.1 - Sensitive / Regulated Data Spill Responsible Personnel
 IRO-12.2 - Sensitive / Regulated Data Spill Training
 IRO-12.3 - Post-Sensitive / Regulated Data Spill Operations
 IRO-12.4 - Sensitive / Regulated Data Exposure to Unauthorized Personnel
 TDA-01.1 - Product Management
 TDA-02 - Minimum Viable Product (MVP) Security Requirements
 TDA-06 - Secure Software Development Practices (SSDP)
 TPM-03 - Supply Chain Risk Management (SCRM)

Updating mappings:
 Canada ITSP-10-171
o HRS-04
o HRS-05.1
o IAC-02
o IAC-25
 CISA SSDAF
o AST-03.2
o TDA-04.2
 NIST 800-171 R3
o HRS-04
o HRS-05.1
o IAC-02
o IAC-25
 NIST 800-171A R3
o HRS-04
o IAC-02
o TDA-02.3

Version 2025.2 represents a major update, based on number of new and changed controls in the Secure Controls Framework (SCF). The majority of the new controls are focused on the governance of Artificial Intelligence (AI).

You can download the new version of the SCF and errata from:

Added / Updated Set Theory Relationship Mappings (STRM) for:

EU Artificial Intelligence (AI)I Act (Regulation (EU) 2024/1689)
EU Cyber Resilience Act
EU Cyber Resilience Act - Annexes
ENISA NIS2 Annex
Farm Credit Administration (FCA) Cyber Risk Management
NAIC Insurance Data Security Model Law 668
NERC CIP (2024)
NIST AI 100-1 (AI Risk Management Framework)
NIST AI 600-1 (NIST Trustworthy and Responsible AI)
NIST SP 800-171 R3
NIST SP 800-171A R3
NIST SP 800-218 v1.1
NZ Health Information Security Framework (2022)
HISO 10029:2024 NZ Health Information Security Framework Guidance for Suppliers

Removed SCF mappings to:

South Carolina Insurance Data Security Act (directly maps to NAIC Insurance Data Security Model Law 668)

New controls:

GOV-01.3 - Commitment To Continual Improvements
GOV-18 - Quality Management System (QMS)
AAT-02.3 - Adequate Protections For AI & Autonomous Technologies
AAT-09.1 - AI & Autonomous Technologies High Risk Designations
AAT-10.15 - AI TEVV Reporting
AAT-10.16 - AI TEVV Empirically Validated Methods
AAT-10.17 - AI TEVV Benchmarking Content Provenance
AAT-10.18 - AI TEVV Model Collapse Mitigations
AAT-12.3 - Data Source Lineage & Origin Disclosure
AAT-12.4 - Digital Content Modification Logging
AAT-16.8 - AI & Autonomous Technologies Event Logging
AAT-16.9 - Serious Incident Reporting For AI & Autonomous Technologies
AAT-16.10 - Serious Incident Root Cause Analysis (RCA) For AI & Autonomous Technologies
AAT-17.4 - Novel Risk Assessment Methods & Technologies
AAT-17.5 - Fine Tuning Risk Mitigation
AAT-19 - AI & Autonomous Technologies Conformity
AAT-19.1 - Manipulative or Deceptive Techniques
AAT-19.2 - Materially Distorting Behaviors
AAT-19.3 - Social Scoring
AAT-19.4 - Detrimental or Unfavorable Treatment
AAT-19.5 - Risk and Criminal Profiling
AAT-19.6 - Populating Facial Recognition Databases
AAT-19.7 - Emotion Inference
AAT-19.8 - Biometric Categorization
AAT-20 - AI & Autonomous Technologies Development Practices
AAT-20.1 - AI & Autonomous Technologies Transparency
AAT-20.2 - AI & Autonomous Technologies Implementation Documentation
AAT-20.3 - AI & Autonomous Technologies Human Domain Knowledge Reliance
AAT-21 - AI & Autonomous Technologies Registration
AAT-22 - AI & Autonomous Technologies Deployment
AAT-22.1 - AI & Autonomous Technologies Human Oversight
AAT-22.2 - AI & Autonomous Technologies Oversight Measures
AAT-22.3 - AI & Autonomous Technologies Separate Verification
AAT-22.4 - AI & Autonomous Technologies Oversight Functions Competency
AAT-22.5 - AI & Autonomous Technologies Data Relevance
AAT-22.6 - AI & Autonomous Technologies Irregularity Reporting
AAT-22.7 - AI & Autonomous Technologies Use Notification To Employees
AAT-22.8 - AI & Autonomous Technologies Use Notification To Users
AAT-23 - AI & Autonomous Technologies Output Marking
AAT-24 - Real World Testing of AI & Autonomous Technologies
AAT-25 - AI & Autonomous Technologies System Value Chain
AAT-25.1 - AI & Autonomous Technologies System Value Chain Fallbacks
AAT-26 - AI & Autonomous Technologies Testing Techniques
AAT-26.1 - Generative Artificial Intelligence (GAI) Identification
AAT-26.2 - AI & Autonomous Technologies Capabilities Testing
AAT-26.3 - Real-World Testing
AAT-26.4 - Documenting Testing Guidance
AAT-27 - AI & Autonomous Technologies Output Filtering
AAT-27.1 - Human Moderation
AST-31.2 - High-Risk Asset Categorization
BCD-06.1 - Contingency Planning Components
BCD-06.2 - Contingency Plan Update Notifications
CHG-07 - Emergency Changes
CHG-07.1 - Documenting Emergency Changes
CPL-01.4 - Conformity Assessment
CPL-01.5 - Declaration of Conformity
CPL-02.3 - Corrective Action
CPL-03.3 - Assessor Access
CPL-08 - Localized Representation
CPL-08.1 - Representative Powers
MON-02.9 - Inventory of Technology Asset Event Logging
HRS-07.2 - Updating Disciplinary Processes
IAC-10.13 - Events Requiring Authenticator Change
IRO-09.2 - Recurring Incident Analysis
IRO-10.5 - Serious Incident Reporting
RSK-04.2 - Risk Assessment Methodology
SAT-01.1 - Maintaining Workforce Development Relevancy
TDA-02.8 - Minimizing Attack Surfaces
TDA-02.9 - Ongoing Product Security Support
TDA-02.10 - Product Testing & Reviews
TDA-02.11 - Disclosure of Vulnerabilities
TDA-02.12 - Products With Digital Elements
TDA-02.13 - Reporting Exploitable Vulnerabilities
TDA-21 - Product Conformity Governance
TDA-22 - Technical Documentation Artifacts
TDA-22.1 - Product-Specific Risk Assessment Artifacts
VPM-04.3 - Deferred Patching Decisions
VPM-05.8 - Software Patch Integrity

Renamed controls:

AAT-07.1 - AI & Autonomous Technologies Impact Assessment
HRS-05.3 - Technology Use Restrictions
IRO-12 - Sensitive / Regulated Data Spill Response
IRO-12.1 - Sensitive / Regulated Data Spill Responsible Personnel
IRO-12.2 - Sensitive / Regulated Data Spill Training
IRO-12.3 - Post-Sensitive / Regulated Data Spill Operations
IRO-12.4 - Sensitive / Regulated Data Exposure to Unauthorized Personnel
TDA-06 - Secure Software Development Practices (SSDP)
TPM-03 - Supply Chain Risk Management (SCRM)

Wordsmithed controls:

GOV-03 - Periodic Review & Update of Cybersecurity & Data Protection Program
AAT-07.1 - AI & Autonomous Technologies Impact Assessment
AAT-08 - Assigned Responsibilities for AI & Autonomous Technologies
AAT-09 - AI & Autonomous Technologies Risk Profiling
AAT-10 - Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV)
AAT-10.3 - AI TEVV Trustworthiness Demonstration
AAT-16.7 - Pre-Trained AI & Autonomous Technologies Models
BCD-06 - Ongoing Contingency Planning
CPL-03 - Cybersecurity & Data Protection Assessments
HRS-04.2 - Formal Indoctrination
HRS-05.3 - Technology Use Restrictions
HRS-15 - Reporting Suspicious Activities
IAC-10 - Authenticator Management
IRO-12 - Sensitive / Regulated Data Spill Response
IRO-12.1 - Sensitive / Regulated Data Spill Responsible Personnel
IRO-12.2 - Sensitive / Regulated Data Spill Training
IRO-12.3 - Post-Sensitive / Regulated Data Spill Operations
IRO-12.4 - Sensitive / Regulated Data Exposure to Unauthorized Personnel
TDA-01.1 - Product Management
TDA-02 - Minimum Viable Product (MVP) Security Requirements
TDA-06 - Secure Software Development Practices (SSDP)
TPM-03 - Supply Chain Risk Management (SCRM)

Updating mappings:

Canada ITSP-10-171
o HRS-04
o HRS-05.1
o IAC-02
o IAC-25
CISA SSDAF
o AST-03.2
o TDA-04.2
NIST 800-171 R3
o HRS-04
o HRS-05.1
o IAC-02
o IAC-25
NIST 800-171A R3
o HRS-04
o IAC-02
o TDA-02.3

Version 2025.1 represents a minor update, based on new and changed controls in the Secure Controls Framework (SCF). You can download the new version of the SCF and errata from:

NOTE - Version 2025.1.1 added the missing column for the India Digital Personal Data Protection Act (DPDPA) from the main SCF spreadsheet.

Added Set Theory Relationship Mappings (STRM) for:

UK Defence Standard (Def Stan) 05-138
India Digital Personal Data Protection Act (DPDPA)
Saudi Arabia IoT CGIoT-1
Saudi Arabia Person Data Protection Law (PDPL)
Spain BOE-A-2022-7191
UAE National Information Assurance Framework (NIAF)
EU General Data Protection Regulation (GDPR)
US Data Privacy Framework
US Oregon Data Privacy Act (SB619)
US Texas Data Privacy & Security Act

Removed mappings to:

Old version of EU GDPR mapping
EU ePrivacy Directive
Czech Republic Act No. 101/2000 on the Protection of Personal Data
Denmark Act on Processing of Personal Data (Act No. 429 of May 31, 2000)
Finland Personal Data Act (986/2000)
France 78 17 / 2004 8021 - Information Technology, Data Files & Civil Liberty
Luxembourg Protection of Personals with Regard to the Processing of Personal Data
Portugal Act on the Protection of Personal Data
Slovak Republic Protection of Personal Data (122/2013)
UAE Data Protection Law No. 1 of 2007
Indonesia Government Regulation No. 82 of 2012

New controls:

CPL-01.3 - Ability To Demonstrate Conformity
CPL-02.2 - Periodic Audits
CPL-07 - Grievances
CPL-07.1 - Grievance Response
MON-17 - Event Log Analysis & Triage
MON-17.1 - Event Log Review Escalation Matrix
HRS-01.1 - Onboarding, Transferring & Offboarding Personnel
HRS-14 - Identifying Authorized Work Locations
HRS-14.1 - Communicating Authorized Work Locations
HRS-15 - Reporting Suspicious Activities
PES-19 - Physical Access Device Inventories
PRI-01.8 - Data Fiduciary
PRI-01.9 - Personal Data (PD) Process Manager
PRI-01.10 - Financial Incentives For Personal Data (PD)
PRI-03.9 - Continued Use of Personal Data (PD)
PRI-03.10 - Cease Processing, Storing and/or Sharing Personal Data (PD)
PRI-03.11 - Communicating Processing Changes
PRI-04.7 - Personal Data (PD) Collection Methods
PRI-05.8 - Personal Data (PD) Formats
PRI-07.5 - Justification To Reject Disclosure Requests
PRI-12.1 - Enabling Data Subjects To Update Personal Data (PD)
VPM-05.6 - Pre-Deployment Patch Testing
VPM-05.7 - Out-of-Cycle Patching

Renamed controls:

MON-01.8 - Security Event Monitoring
IRO-10.2 - Cyber Incident Reporting for Sensitive / Regulated Data
PRI-01.7 - Limiting Personal Data (PD) Disclosures
PRI-03.2 - Just-In-Time Notice & Updated Consent
PRI-03.3 - Prohibition of Selling, Processing and/or Sharing Personal Data (PD)
PRI-04.1 - Authority To Collect, Process, Store & Share Personal Data (PD)
PRI-04.4 - Acquired Personal Data (PD)
PRI-04.5 - Validate Collected Personal Data (PD)
PRI-04.6 - Re-Validate Collected Personal Data (PD)
10 PRI-05 - Personal Data (PD) Retention & Disposal
PRI-05.1 - Internal Use of Personal Data (PD) For Testing, Training and Research
PRI-05.4 - Usage Restrictions of Personal Data (PD)
PRI-05.6 - Personal Data (PD) Inventory Automation Support
PRI-06 - Data Subject Empowerment
PRI-06.7 - Personal Data (PD) Exports
PRI-07.2 - Joint Processing of Personal Data (PD)
PRI-07.4 - Reject Unauthenticated or Untrustworthy Disclosure Requests
PRI-14 - Documenting Data Processing Activities
SAT-03.3 - Sensitive / Regulated Data Storage, Handling & Processing

Wordsmithed controls:

GOV-08 - Defining Business Context & Mission
GOV-16 - Materiality Determination
CRY-07 - Wireless Access Authentication & Encryption
DCH-18.1 - Minimize Sensitive / Regulated Data
NET-15.1 - Authentication & Encryption
PRI-01 - Data Privacy Program
PRI-01.4 - Data Protection Officer (DPO)
PRI-01.6 - Security of Personal Data (PD)
PRI-02 - Data Privacy Notice
PRI-02.1 - Purpose Specification
PRI-02.2 - Automated Data Management Processes
PRI-02.3 - Computer Matching Agreements (CMA)
PRI-03 - Choice & Consent
PRI-03.1 - Tailored Consent
PRI-03.2 - Just-In-Time Notice & Updated Consent
PRI-03.3 - Prohibition of Selling, Processing and/or Sharing Personal Data (PD)
PRI-03.4 - Revoke Consent
PRI-03.5 - Product or Service Delivery Restrictions
PRI-04 - Restrict Collection To Identified Purpose
PRI-04.1 - Authority To Collect, Process, Store & Share Personal Data (PD)
PRI-04.3 - Identifiable Image Collection
PRI-05.2 - Personal Data (PD) Accuracy & Integrity
PRI-05.4 - Usage Restrictions of Personal Data (PD)
PRI-05.5 - Inventory of Personal Data (PD)
PRI-06 - Data Subject Empowerment
PRI-06.3 - Appeal Adverse Decision
PRI-06.4 - User Feedback Management
PRI-06.5 - Right to Erasure
PRI-06.6 - Data Portability
PRI-06.7 - Personal Data (PD) Exports
PRI-07.4 - Reject Unauthenticated or Untrustworthy Disclosure Requests
PRI-09 - Personal Data (PD) Lineage
PRI-14 - Documenting Data Processing Activities
PRI-14.1 - Accounting of Disclosures
PRI-17 - Data Subject Communications
OPS-07 - Shadow Information Technology Detection
SAT-03.3 - Sensitive / Regulated Data Storage, Handling & Processing

Updating mappings:
 ISO 27002:2022
o GOV-09 (corrected typo)
 NIST 800-171A
o CFG-02
o MON-08

Version 2024.4 represents a minor update, based on new and changed controls. You can download the new version from https://securecontrolsframework.com/scf-download/ and errata is available at https://securecontrolsframework.com/errata/

Added Set Theory Relationship Mappings (STRM) for:
 HIPAA Security Rule (NIST SP 800-66 R2)
 HIPAA Administrative Simplification
 CIS CSC 8.1
 CISA Cybersecurity Performance Goals (CPG)
 CISA Secure Software Development Attestation Form (SSDAF)

Removed mappings to:
 HIPAA
 NIST 800-66 R2 (combined it int o the new HIPAA Security Rule column)
 CIS CSC 8.0

New controls:
 SAT-05
 THR-06.1

Renamed controls:
 DCH-06.3
 DCH-18.1
 DCH-18.2

Wordsmithed controls:
 DCH-18.1
 DCH-18.2
 IRO-02
 IAO-02.2
 PRI-01.2
 RSK-02
 TDA-09
 TDA-15
 TPM-08

Updating mappings:
 FAR 52.204-21
o GOV-01
o GOV-02
o GOV-04
o GOV-04.1
o GOV-15
o PES-03
o PES-03.3
 NIS2
o AST-02
 NIST 800-53 R4
o CFG-02
o CFG-02.1
 NIST 800-53 R5
o CFG-02
o CFG-02.1
o MON-03
 NIST 800-171 R2
o CLD-06
o CLD-10
o CFG-02
o CFG-02.1
o NET-02.2
o PES-06.1
o WEB-02
o WEB-04
 NIST 800-171A
o CLD-06
o CLD-10
o NET-02.2
o PES-05
o PES-05.1
o PES-05.2
o PES-06
o PES-06.1
o WEB-02
o WEB-04
 NIST 800-171 R3
o DCH-14
o IAO-02
o NET-02.2
o PES-06.1
o TDA-02
 NIST 800-171A R3
o NET-02.2
o PES-06.1

Version 2024.3 represents a minor update, based on new and changed controls. New content includes possible solutions & considerations based on BLS firm size classes 1-9.

Added Set Theory Relationship Mappings (STRM) for:

TISAX ISA v6.0.3
Australia ISM June 2024
New Zealand Health ISF 2022
PCI DSS v4
CIS CSC 8.0
CMMC Level 1 / FAR 52.204-21
NIST 800-171A

Removed mappings to:

TISAX ISA v5.1.0
Australia ISM 2022
New Zealand Health ISF

New controls:

IAC-01.3 - User & Service Account Inventories
NET-04.14 - Application Proxy
NET-06.7 - Software Defined Networking (SDN)
PES-01.2 - Zone-Based Physical Security
TDA-01.4 - DevSecOps

New risks:

R-SC-1 - Third-party cybersecurity exposure
R-SC-2 - Third-party physical security exposure
R-SC-3 - Third-party supply chain relationships, visibility and controls
R-SC-4 - Third-party compliance / legal exposure
R-SC-5 - Use of product / service
R-SC-6 - Reliance on the third-party

New threats:

MT-17 - Foreign Ownership, Control, or Influence (FOCI)
MT-18 - Geopolitical
MT-19 - Sanctions
MT-20 - Counterfeit / Non-Conforming Products
MT-21 - Operational Environment
MT-22 - Supply Chain Interdependencies
MT-23 - Third-Party Quality Deficiencies

Renamed controls:

AST-08
AST-15
BCD-06
BCD-10.4
DCH-18.1
IAC-10.8
NET-04.7
NET-18.1
TPM-05.8
THR-03

Wordsmithed controls:

MON-01.4
DCH-18.1
HRS-03
IAC-10.8
NET-04.7
THR-03

Updating mappings:

CIS

AST-01
AST-02.2
AST-02.9
AST-03.2
BCD-11.5
CHG-06
CFG-01
CFG-02
CFG-02.1
CFG-03
CFG-03.2
CFG-05.2
CFG-06.1
MON-01
MON-01.4
MON-03
MON-04
CRY-01
CRY-05
CRY-05.1
DCH-01.2
DCH-01.4
DCH-14.3
END-04
END-04.3
END-04.7
END-05
END-06.2
END-08
HRS-05.3
HRS-05.4
IAC-01
IAC-01.2
IAC-03
IAC-04
IAC-08
IAC-13.1
IAC-13.2
IAC-15.1
IAC-16
IRO-02
IRO-04
IRO-06
IRO-07
IRO-10
IRO-15
MDM-01
MDM-06
MDM-07
NET-03
NET-08.3
NET-20.4
RSK-06.2
RSK-09.1
SAT-03
SAT-03.8
SAT-03.9
TDA-01
TDA-01.1
TDA-02
TDA-02.1
TDA-02.5
TDA-02.6
TDA-17
TPM-05.4
TPM-05.5
TPM-08
THR-06
VPM-04
VPM-05.1
VPM-06.6
VPM-06.7
VPM-07
WEB-07
WEB-08
CMMC Level 1

IAC-02
IAC-04
IAC-15
IAC-20
NET-03
TPM-01
VPM-02
VPM-04
VPM-05
WEB-01
WEB-02
WEB-04
FAR 52.204-21

GOV-01
GOV-02
GOV-04
GOV-04.1
GOV-15
AST-01
CLD-03
CLD-04
CLD-07
CLD-09
CPL-01
CFG-03
DCH-01
DCH-16
DCH-21
END-01
END-04
HRS-01
HRS-05
IAC-04
IAC-09
IAC-10
IAC-10.1
IAC-15.1
IRO-15
NET-02
NET-05.1
NET-08.1
NET-14
NET-14.5
PES-01
PES-03
PES-03.1
PES-03.3
SEA-01
SEA-02
SEA-03
TDA-11.2
TPM-01
TPM-05
TPM-05.2
THR-03
PCI DSS v4

GOV-01
GOV-02
GOV-03
GOV-04
AST-01
AST-02
AST-04.2
AST-04.3
AST-05
BCD-11
CHG-01
CHG-02
CHG-02.4
CPL-01
CFG-01
CFG-02
CFG-02.1
CFG-02.5
CFG-03
CFG-03.1
MON-01
MON-01.4
MON-01.7
MON-01.8
MON-01.10
MON-03
MON-16
CRY-01
CRY-02
CRY-03
CRY-05
CRY-05.1
CRY-09
DCH-01.2
DCH-03.1
DCH-06
DCH-06.1
DCH-06.5
DCH-07
DCH-08
DCH-13.1
DCH-18
END-01
END-04
END-04.1
END-04.7
END-06
END-08
END-16
HRS-03
HRS-03.1
IAC-01
IAC-03
IAC-06.1
IAC-06.2
IAC-10
IAC-10.1
IAC-12
IAC-17
IAC-20.6
IAC-21
IRO-01
IRO-02
IRO-12.3
IRO-13
IAO-04
NET-01
NET-02
NET-02.2
NET-04.7
NET-06
NET-08.1
NET-09
NET-12
NET-12.1
NET-14
NET-15
NET-15.1
PES-01
PES-02
PES-02.1
PES-06.4
PRI-05
PRI-05.5
PRI-08
RSK-05
RSK-06
RSK-06.2
SEA-01
SEA-02.3
SEA-04.1
OPS-01
OPS-01.1
SAT-01
SAT-02
SAT-03
SAT-03.3
SAT-03.5
SAT-03.6
SAT-04
TDA-07
TDA-15
TPM-01
TPM-04
TPM-04.4
TPM-05
THR-01
VPM-01
VPM-01.1
VPM-02
VPM-03
VPM-04
VPM-06
VPM-06.2
VPM-06.6
VPM-06.7
WEB-10

Version 2024.2.1 corrects a formatting issue for the following controls:

AST-01.4
AST-02
AST-02.1
AST-02.2
AST-02.3
AST-02.4
AST-02.5
AST-02.6
AST-02.7
AST-02.8
AST-02.9
AST-02.10
AST-02.11
AST-03

Releases: securecontrolsframework/securecontrolsframework

SCF 2026.1

Uh oh!

SCF 2025.4

Uh oh!

SCF 2025.3.1

Uh oh!

SCF 2025.2.2

Uh oh!

SCF 2025.2.1

Uh oh!

SCF 2025.2

Uh oh!

SCF 2025.1

Uh oh!

2024.4

Uh oh!

2024.3

Uh oh!

SCF 2024.2.1

Uh oh!