Errata

This page will be periodically updated with errata (e.g., edits or changes) to the Secure Controls Framework (SCF) that reflect both minor and major revisions to the SCF. 

Current Release ​​

2022.1 (2022-03-15)

​Summary of changes in 2022.1 release:

Version 2022.1 represents a moderate update, where there is some new content and minor refinement of existing content to standardize wording improve readability.

The SCF is pleased to announce that the Shared Assessments Standard Information Gathering Questionnaire (SIG) mapping is now incorporated into the SCF’s catalog of controls. This was a collaborative endeavor between Shared Assessments and the SCF, where users leveraging the SCF’s comprehensive controls catalog will be able to map directly to questions in the Shared Assessments SIG. This collaboration expands the SIG library related to third party risk management.

 

Principles Update:

  • All SCF principles were reviewed and updated, in light of two US Government documents:

    • Executive Order 14028; and

    • NIST SP 800-160 vol 2 rev 1

  • The US Government is ramping up a focus on cybersecurity through a variety of initiatives related to the security and integrity of the software supply chain, including the concept of resiliency.

  • Resiliency is intended to reduce risk to organizations by having systems, applications and services that are security designed to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises. 

  • With how US Government regulations “trickle down” through contracts, it was determined that the principles needed to reflect these concepts.

 

Added Mapping:

  • Shared Assessments Standard Information Gathering (SIG) 

  • ISO 27002:2022

  • NIST SP 800-171A

  • NIST SP 800-218 v1.1

  • US - Colorado Privacy Act

  • US - Illinois Personal Information Protection Act (PIPA)

  • US - New York SHIELD Act (S5575B)

  • US - Texas DIR Control Standards 2.0

  • US - Texas Risk & Authorization Management Program (TX-RAMP)

  • Australia - Prudential Standard CPS 234 Information Security

  • Japan - Act on the Protection of Personal Information (June 2020)

  • Saudi Arabian Monetary Authority (SAMA) Cyber Security Framework (CSF)

  • Singapore Cyber Hygiene Practice

  • Singapore MAS TRM Guidelines 2021

  • Threat catalog:

    • MT-11 - Statutory / Regulatory / Contractual Obligation

 

Renamed:

  • DCH-22.3: Primary Source Personal Data (PD) Collection

  • TDA-06.3: Software Assurance Maturity Model (SAMM)

 

Wordsmithed:

  • AST-02.7: Software Licensing Restrictions

  • HRS-09.3: Post-Employment Requirements

 

Updated Mapping:

  • CMMC 2.0 (Levels 1-3)

  • IEC 62443-4-2 (control mapping taxonomy)

  • AST-01 (added 2.1 for CIS v8)

  • AST-02 (added 2.1 for CIS v8)

 

Added Controls:

  • CLD-06.1: Customer Responsibility Matrix (CRM)

  • IAC-03.5: Acceptance of External Authenticators

  • PRI-03.6: Proxy Consent

  • PRI-04.4: Acquired Personal Data (PD)

  • TDA-20.3: Software Escrow
     

 

Historical Releases

2021.3 (2021-11-17)

Added:

  • NIST SP 800-172 (updated from draft version)

  • China Data Security Law (DSL)

  • China Privacy Law

  • SCF-R (Ransomware Protection) https://www.securecontrolsframework.com/scf-r-ransomware that is based on NISTIR 8374 (draft) - Cybersecurity Framework Profile for Ransomware Risk Management

  • Threat catalog:

    • MT-9: Human Error

    • MT-10: Technical / Mechanical Failure

 

Updated/revised mapping:

  • ISO 27001

    • GOV-01

    • GOV-01.1

    • GOV-02

    • GOV-08

    • AST-01.2

    • SEA-02.1

  • Changes related to Cybersecurity Maturity Model Certification (CMMC) 2.0 that drops CMMC from 5 to 3 levels:

    • Level 1 CMMC remains unchained

    • Level 2 is deleted

    • Level 3 is now Level 2

    • Level 4 is deleted

    • Level 5 is now Level 3

  • NIST SP 800-172

    • AST-02.5

    • AST-18

    • DCH-18

    • END-04

    • END-04.6

    • HRS-04

    • HRS-04.1

    • HRS-07

    • HRS-07.1

    • HRS-09.2

    • IAC-10.11

    • IAO-01.1

    • IAO-02

    • IAO-02.2

    • IAO-03

    • IRO-07

    • RSK-09.1

    • SAT-02.1

    • SAT-02.2

    • SAT-03.2

    • SAT-03.6

    • SEA-15

    • TDA-05

    • THR-01

    • THR-07

    • VPM-01.1

 

New Controls:

  • GOV-12: Forced Technology Transfer

  • GOV-13: State-Sponsored Espionage

  • CPL-06: Government Surveillance

  • DCH-26: Data Localization

  • PRI-03.5: Product or Service Delivery Restrictions

  • PRI-04.3: Identifiable Image Collection

  • PRI-16: Potential Human Rights Abuses

 

Renamed:

  • CPL-02: Security & Privacy Controls Oversight

  • MON-04: Event Log Storage Capacity

  • MON-05: Response To Event Log Processing Failures

  • MON-05.1: Real-Time Alerts of Event Logging Failure

  • MON-05.2: Event Log Storage Capacity Alerting

  • MON-08: Protection of Event Logs

  • MON-08.1: Event Log Backup on Separate Physical Systems / Components

  • MON-08.3: Cryptographic Protection of Event Log Information

  • MON-10: Event Log Retention

  • MON-13: Alternate Event Logging Capability

  • MON-14.1: Sharing of Event Logs

  • PRI-03.5: Product or Service Delivery Restrictions

  • PRI-04.3: Identifiable Image Collection

  • TDA-11: Product Tampering and Counterfeiting (PTC)

 

Wordsmithed:

  • GOV-06: Contacts With Authorities

  • GOV-10: Data Governance

  • GOV-11: Purpose Validation

  • AST-02: Asset Inventories

  • AST-02.2: Automated Unauthorized Component Detection

  • AST-02.4: Approved Baseline Deviations

  • AST-02.5: Network Access Control (NAC)

  • AST-02.8: Data Action Mapping

  • AST-02.9: Configuration Management Database (CMDB)

  • AST-03: Assigning Ownership of Assets

  • AST-03.1: Accountability Information

  • AST-04: Network Diagrams & Data Flow Diagrams (DFDs)

  • AST-05: Security of Assets & Media

  • AST-07: Kiosks & Point of Sale (PoS) Devices

  • AST-11: Removal of Assets

  • AST-14: Usage Parameters

  • AST-15: Tamper Protection

  • AST-27: Jump Server

  • AST-29: Radio Frequency Identification (RFID) Security

  • AST-29.1: Contactless Access Control Systems

  • AST-30: Decommissioning

  • BCD-03: Contingency Training

  • BCD-04: Contingency Plan Testing & Exercises

  • BCD-06: Contingency Planning & Updates

  • BCD-09.4: Preparation for Use

  • BCD-10.1: Priority of Service Provisions

  • BCD-11: Data Backups

  • BCD-11.4: Cryptographic Protection

  • BCD-11.5: Test Restoration Using Sampling

  • BCD-11.6: Transfer to Alternate Storage Site

  • BCD-11.7: Redundant Secondary System

  • BCD-12.2: Failover Capability

  • BCD-12.4: Restore Within Time Period

  • CAP-01: Capacity & Performance Management

  • CAP-04: Performance Monitoring

  • CHG-02.1: Prohibition Of Changes

  • CHG-02.3: Security Representative for Change

  • CHG-04.2: Signed Components

  • CHG-06.1: Report Verification Results

  • CLD-09: Geolocation Requirements for Processing, Storage and Service Locations

  • CPL-01: Statutory, Regulatory & Contractual Compliance

  • CPL-02: Security & Privacy Controls Oversight

  • CPL-03.1: Independent Assessors

  • CPL-03.2: Functional Review Of Security Controls

  • CPL-04: Audit Activities

  • CPL-05: Legal Assessment of Investigative Inquires

  • CPL-05.2: Investigation Access Restrictions

  • CFG-02.4: Development & Test Environment Configurations

  • MON-01.2: Automated Tools for Real-Time Analysis

  • MON-04: Event Log Storage Capacity

  • MON-05: Response To Event Log Processing Failures

  • MON-05.1: Real-Time Alerts of Event Logging Failure

  • MON-05.2: Event Log Storage Capacity Alerting

  • MON-06: Monitoring Reporting

  • MON-07: Time Stamps

  • MON-08.1: Event Log Backup on Separate Physical Systems / Components

  • MON-08.3: Cryptographic Protection of Event Log Information

  • MON-08.4: Dual Authorization

  • MON-10: Event Log Retention

  • MON-13: Alternate Event Logging Capability

  • MON-14: Cross-Organizational Monitoring

  • MON-14.1: Sharing of Event Logs

  • CRY-05: Encrypting Data At Rest

  • CRY-05.1: Storage Media

  • CRY-09.2: Asymmetric Keys

  • DCH-05.7: Consistent Attribute Interpretation

  • DCH-07.1: Custodians

  • MDM-10: Separate Mobile Device Profiles

  • PRI-02: Privacy Notice

  • PRI-04: Collection

  • TDA-11: Product Tampering and Counterfeiting (PTC)

2021.2 (2021-06-07)

​Summary of changes in 2021.2 release:

Added additional columns to help define "must have" vs "nice to have" controls per the Integrated Controls Management (ICM) model:

  • Minimum Compliance Criteria (MCC)

  • Discretionally Security Requirements (DSR)

  • Minimum Security Requirements (MSR = MCC + DSR)

Added additional columns to help define the control focus for Supply Chain Risk Management (SCRM), per NIST SP 800-161 guidelines:

  • Tier 1 - Strategic Risk (organization-level)

  • Tier 2 - Operational Risk (business process-level)

  • Tier 3 - Tactical Risk (system, application & service-level)

Added mapping for new laws/regulations/frameworks:

  • CIS CSC v8

  • CSA CCM v4

  • CSA IoT SCF v2    

  • NIST SSDF    

  • NIST  800-161  R1 draft [partial]    

  • StateRAMP

  • VA CDPA    

  • UK GDPR    

  • New Zealand Health ISF

  • New Zealand Privacy Act of 2020

  • Bermuda BMA CCC

  • Canada CSAG

Updated mapping:

  • CFG-03.1 – added ISO 27002 controls 12.6.1 & 14.2.5

  • MON-01.7 – added CIS 7.1 controls for 14.9

  • IRO-02 – corrected typo from “095” to “096”

  • DCH-06 – corrected typo from “9.79” to “9.7” for PCI DSS

  • NET-03.3 – corrected typo from “1.3.8” to “1.3.7” for PCI DSS

  • Multiple - South Africa's POPIA

  • NIST SP 800-53B (high baseline)

    • AU-6(5) 

    • AU-6(6) 

    • SI-4(14) 

  • NIST SP 800-53B (Not Otherwise Categorized (NOC))

    • AU-6(4)

    • SI-4(15)

    • PT-4(1)

    • PT-4(2)

    • PT-4(3)

    • PT-5(1)

    • SA-9(3)

    • SA-9(4)

    • SA-9(5)

Renamed:

  • AST-02.4 – Approved Baseline Deviations

  • CFG-02.7 – Approved Configuration Deviations

  • MON-01.13 – Alert Threshold Tuning

  • DCH-25 – Transfer of Sensitive Data

  • END-06 – Endpoint File Integrity Monitoring (FIM)

  • PRI-05.2 – Personal Data Accuracy & Integrity

  • PRI-06.1 – Correcting Inaccurate Information

  • VPM-05 – Software & Firmware Patching

 

Wordsmithed:

  • AST-14.1

  • BCD-12

  • CFG-02.7

  • CRY-08 

  • DCH-25 

  • END-05

  • IAC-02

  • IAC-03

  • IAC-04

  • IAC-06

  • NET-14

  • NET-14.2

  • PRI-06.1 

  • VPM-06.6

  • VPM-06.7

Added content:

  • Threat Catalog

    • MT-8 - Dysfunctional Management Practices

  • Controls Catalog

    • AST-01.3 - Standardized Naming Convention    

    • BCD-14 – Isolated Recovery Environment

    • CAP-04 - Performance Monitoring    

    • CFG-07 - Zero-Touch Provisioning (ZTP)    

    • EMB-09 - Power Level Monitoring    

    • EMB-10 - Embedded Technology Reviews    

    • EMB-11 - Message Queuing Telemetry Transport (MQTT) Security    

    • EMB-12 - Restrict Communications    

    • EMB-13 - Authorized Communications    

    • EMB-14 – Operating Environment Certification

    • EMB-15 - Safety Assessment    

    • EMB-16 - Certificate-Based Authentication    

    • EMB-17 - Chip-To-Cloud Security    

    • EMB-18 - Real-Time Operating System (RTOS) Security    

    • EMB-19 - Safe Operations

    • IAC-29 - Attribute-Based Access Control (ABAC)     

    • MDM-09 – Mobile Device Geofencing

    • MDM-10 – Separate Mobile Device Profiles

    • PES-17 - Proximity Sensor     

    • PRI-01.5 - Binding Corporate Rules (BCR)    

    • PRI-01.6 - Security of Personal Data    

    • PRI-01.7 - Limiting Personal Data Disclosures    

    • PRI-04.2 - Primary Sources    

    • TDA-04.2 - Software Bill of Materials (SBOM)    

    • TDA-06.3 - Software Assurance Maturity Model (SAAM)    

    • TDA-06.4 - Supporting Toolchain    

    • TDA-06.5 - Software Design Review    

    • TDA-09.6 - Secure Settings By Default    

    • TDA-20.1 – Software Release Integrity Violation

    • TDA-20.2 - Archiving Software Releases

    • TPM-01.1 – Third-Party Inventories 

Removed:

  • New Zealand Privacy Act of 1993 (replaced with 2020 version)