Secure Controls Framework Council, LLC (SCF Council) disclaims any liability whatsoever for the use of this website or the Secure Controls Framework™ (SCF). Use at your own risk.


If you have compliance questions, you should consult a cybersecurity or privacy professional to discuss your specific needs. This website is for educational purposes only and does not render professional services advice - it is not a substitute for dedicated professional services. There is no endorsement of any kind in the company listing of SCF Solution Providers - It is entirely your responsibility to conduct appropriate due care and due diligence in selecting and engaging with a consultant to assist in your implementation of the SCF.

SCF Council does not warrant or guarantee that the information will not be offensive to any user. User is hereby put on notice that by accessing and using the website, user assumes the risk that the information and documentation contained in the web site may be offensive and/or may not meet the needs and requirements of the user. The entire risk as to the use of this website, or its contents, is assumed by the user. ​


SCF Council reserves the right to refuse service, in accordance with applicable statutory and regulatory parameters.

© 2019. Secure Controls Framework Council, LLC



This page will be periodically updated with errata (e.g., edits or changes) to the Secure Controls Framework (SCF) that reflect both minor and major revisions to the SCF. 

Current Release ​​

2020.1 (2020-01-14)

​Summary of changes in 2020. release:

  • Updated mapping for the California Consumer Privacy Act (CCPA) (January 1, 2020)

  • Updated mapping for California SB327 (January 1, 2020)


Historical Releases

2019.7 (2019-12-17)

​Summary of changes in 2019.7 release:

  • Added mapping:

    • CERT Resilience Management Model (RMM) v1.2

    • COBIT 2019

    • FedRAMP HIGH baseline & low, moderate, high & LI-SAAS categorizations

    • ISO 22301:2019

    • ISO 27701:2019

    • ITAR (part 120 - partial mapping)

    • NIST 800-53 rev4 HIGH baseline & low, moderate, high & not-otherwise-categorized categorizations.

    • NIST 800-63B (partial mapping)

    • NIST 800-171B (2019 draft)

    • NIST Privacy Framework (2019 draft)

    • US DOD – Cybersecurity Maturity Model Certification (CMMC) v0.6

    • US DOJ /FBI - Criminal Justice Information Services (CJIS) Security Policy 5.8

    • US Nevada SB820

    • US Vermont Act 171 of 2018 (Data Broker Registration Act)

    • Added a new column to identify errata

  • Removed mappings for:

    • COBIT 5

    • CJIS 5.5 

  • Updated mappings for:

    • California Consumer Privacy Act (CCPA)

    • FAR 52.204-21

    • FDA 21 CFR Part 11

2019.6 (2019-09-04)

​Summary of changes in 2019.6 release:

  • Added mapping:

    • Secure Controls Framework (SCF) control questions (ability to ask the control in a question format)

    • SCF’s Security & Privacy Capability Maturity Model (SP-CMM) criteria

  • Added mapping for:

    • Israel’s Cyber Defense Methodology for an Organization (CDMO) v1.0

    • COSO 2017

  • Added additional mappings for NIST 800-53 rev4 & rev5 (initial draft):

    • AC-6 added mapping to IAC-20

  • Added additional mappings for NIST Cybersecurity Framework v1.1:

    • ID.BE-05 added mapping to BCD-02 

    • PR.IP-6 added mapping to DCH-09

    • PR.PT-5 added mapping to SEA-01

    • DE.DP-1 added mapping to HRS-03

    • DE.DP-2 added mapping to CPL-01

    • RC.CO-1 added mapping to IRO-02

    • RC.CO-2 added mapping to IRO-02

    • RC.CO-3 added mapping to IRO-02

    • PR.DS-8 added mapping to MON-01.7 & TDA-14

  • Wordsmithed the following SCF controls:

    • BCD-02

    • BCD-02.1

    • BCD-02.2

2019.5 (2019-07-31)

​Summary of changes in 2019.5 release:
Added mapping for:
IRS 1075
Social Security Administration (SSA) Electronic Information Exchange Requirements
SWIFT Customer Security Controls Framework v2019
Added additional mappings for NIST 800-53 rev4:
SA-1 (TDA-01)
SC-1 (SEA-01)

2019.4 (2019-04-23)

​Summary of changes in 2019.4 release:

  • Updated mapping for Cloud Security Alliance Cloud Controls Matrix (CSA CCM):

    • AST-04 maps to: DSI-02

    • AST-09 maps to: DCS-05

    • AST-16 maps to: MOS-06

    • CFG-03 maps to: IAM-03

    • CHG-04.5 maps to: IAM-06

    • CLD-04 maps to: AIS-01 & IPY-01

    • CLD-05 maps to: IVS-02

    • CLD-06 maps to: IVS-09

    • CLD-07 maps to: IVS-10

    • CPL-02 maps to: GRM-03

    • CRY-03 maps to: IVS-10

    • GOV-01 maps to: GRM-04

    • HRS-05.1 maps to: MOS-06

    • IAC-01 maps to: IAM-01 & IAM-04

    • IAC-02 maps to: IAM-09

    • IAC-03 maps to: IAM-07

    • IAC-03 maps to: IAM-09

    • IAC-04 maps to: DCS-03

    • IAC-05 maps to: IAM-09

    • IAC-07 maps to: IAM-09 & IAM-11

    • IAC-15 maps to: IAM-10

    • IAC-15.3 maps to: IAM-11

    • IAC-15.6 maps to: IAM-11

    • IAC-17 maps to: IAM-10

    • IAC-20.3 maps to: IAM-01 & IAM-13

    • IRO-08 maps to: SEF-04

    • MDM-03 maps to: MOS-11

    • MON-01 maps to: IAM-04

    • NET-01 maps to: IPY-04

    • PRI-06 maps to: IPY-02

    • PRI-06.4 maps to: IPY-04

    • PRI-06.6 maps to: IPY-02

    • PRI-07 maps to: IPY-03

    • PRI-07.1 maps to: IPY-03

    • SEA-01 maps to: AIS-01 & IPY-04

2019.3 (2019-04-04)

​Summary of changes in 2019.3 release:

  • Added mapping for:

    • Alaska Personal Information Protection Act (PIPA)

    • California SB1121 – California Consumer Privacy Act (CCPA) (Nov 2018 amendment version)

    • DCH-14 maps to:

      • EU GDPR Art 46

    • PES-01 maps to:

      • ISO 27002 11.1.4 & 18.1.4

    • PES-04 maps to:

      • ISO 27002 11.2.9

    • PES-12 maps to:

      • ISO 27002 11.1.4

  • Corrected typographic error on NET-04

    • ISO 27002 mapping is 13.1.1, not 13.11

2019.2 (2019-02-11)

​Summary of changes in 2019.2 release:

  • Added mapping for:

    • CPL-03.1 maps to:

      • NIST 800-53 rev4 CA-2(1)

      • NIST 800-171 NFO (CA-2(1))

    • IAO-04 maps to:

      • NIST 800-53 rev4 CA-1 & PM-10

      • NIST 800-171 NFO (CA-1)

    • PES-01 maps to:

      • ISO 27002 11.1.4

2019.1 (2019-01-09)

​Summary of changes in 2019.1 release:

  • Added additional tabs to the spreadsheet:

    • Security & Privacy by Design (S|P) Principles tab

    • SCF Privacy Management Principles tab

    • EU GDPR Compliance Criteria (EGCC) tab

  • Added a column for Minimum Security Requirements (MSR) to make filtering requirements easier.

  • Added mapping for:
    o    NAIC Insurance Data Security Model Law (MDL-668)
    o    Health Industry Cybersecurity Practices (HICP)

  • Updated mappings for NIST CSF:
    o    PR.AC-7 (IAC-04 & IAC-06)
    o    RS.AN-5 (THR-03)

2018.1.2 (2018-11-16)

​Summary of changes in 2018.1.2 release:

  • Added mappings for: 
    o  Argentina Reg 132/2018 (Protection of Personal Data)
    o  Brazil Law No. 13,709 (General Data Protection Law)
    o  California Consumer Protection Act (CCPA)
    o  Motion Picture Association of America (MPAA) Content Security Program - Content Security Best Practices Common Guidelines (v4.0.4)

  • Added function grouping to align with NIST CSF functions

  • Updated SCF-P to align with SCF Privacy Management Principles

  • Updated mappings for SOC 2 (2017) P7.1, P8.1 & CC9.2

2018.1.1 (2018-08-16)

​Summary of changes in 2018.1.1 release:

  • Updated mapping for SOC 2 2016 & 2017

  • Updated mapping for HIPAA

2018.1 (2018-07-18)

​Summary of changes in 2018.1 release:

  • Updated “Personally Identifiable Information (PII)” to “Personal Information (PI)

  • Updated “System Development Life Cycle (SDLC)” to “Secure Development Life Cycle (SDLC)”

  • Updated SOC 2 2017 TSC mappings

  • Updated HIPAA mappings

  • Corrected naming:

    • SEA-04.3: Thread Separation 

    • TPM-08: Managing Changes To Third-Party Services

    • TPM-10: Review of Third-Party Services


  • Added mapping for Center for Internet Security (CIS) Critical Security Controls (CSC) version 7.

  • Added mapping for ISO 29100:2011.

  • Correct SCF mapping for CFG-05(d) (split tunneling) to be CFG-03.4.

  • Added EU GDPR Compliance Criteria (EGCC) tab.


  • Added column for relative control weighting

  • Added mapping for the German Compliance Controls Catalogue (C5)

  • Added the Business Mergers & Acquisitions (SCF-B) control set.


  • Original release (beta version)

  • White LinkedIn Icon
  • White Facebook Icon
  • White Twitter Icon
  • White Google+ Icon