Errata

This page will be periodically updated with errata (e.g., edits or changes) to the Secure Controls Framework (SCF) that reflect both minor and major revisions to the SCF. 

Current Release ​​

2021.1 (2020-12-18)

​Summary of changes in 2021.1 release:

Added mapping for:

  • Australia Privacy Principles 

 

Renamed:

  • EMB-05

  • HRS-04.4

  • IAC-10 

  • PRI-05

  • PRI-05.1

  • PRI-05.4

 

Refined/updated mapping (see column HS for specific controls that were updated):

  • ISO 27001

  • ISO 27002

  • NIST CSF

  • CMMC v1.02

  • FAR 52.204-21

Based on feedback, we also made a few changes to how the Risk and Threat Catalogs are mapped into the SCF to make it easier for people/tools to parse that information.

Historical Releases

2020.5 (2020-12-01)

​Summary of changes in 2020.5 release:

Added functionality:

  • SCF Risk Catalog

  • SCF Threat Catalog

  • Privacy Management Principles 2020.3

  • CMMC was broken down to Level 1 through 5

 

Added mapping for:

  • IEC 62443-4-2

  • MPA Content Security Program v4.07

  • NIST SP 800-53 rev 5 (privacy, low, moderate & high baselines, as well as several Not Otherwise Categorized (NOC) controls)

  • NIST SP 800-172 (draft) – renaming from NIST SP 800-171B

  • CJIS Security Policy 5.9

  • CMMC v1.02 (breakout for CMMC levels 1-5 into their own columns)

  • FAR Section 889

  • Germany C5 (2020)

  • Saudi Arabia ECC-1 2018

  • Australia ISM 2020

  • Australia IoT Code of Practice

 

Removed mappings for old versions:

  • MPAA Content Security Program v4.04

  • CJIS Security Policy 5.8

  • Germany C5 (2016)

  • Australia ISM 2017

 

Edited formatting for control numbering:

  • PCI DSS v3.2

  • HIPAA

  • Oregon Identity Theft Protection Act (OITPA)

 

Consolidations / Deprecated Controls:

  • PRI-01.2: No longer deprecated - brought back by NIST SP 800-53 R5

  • TDA-11.2: Deprecated - incorporated into AST-09

Corrections:

  • Corrected domain naming from “Monitoring” to “Continuous Monitoring”

  • MON-01.7: Corrected typo for “AT” to “A6”

  • RSK-04: Correct mapping for GDPR from Article 35.6 to Article 35.7

  • PRI-01, PRI-01.1, PRI-01.4:

    • Removed mapping to 1798.125(a) and kept 1798.125(a)(1)

    • Removed mapping to 1798.125(b) and kept 1798.125(b)(1)

  • PRI-06: Removed mapping to 1798.130(a)(1) and kept 1798.130(a)(1)(A)

  • PRI-07.3: Corrected mapping for CCPA from 1798.110(b)(4) to 1798.110(c)(4)

  • RISK-06.1: Removed an additional “Principle” text

 

SCF control sets:

  • SCF-E was updated to reflect new content that affects embedded technology

  • SCF-G was updated to reflect NIST SP 800-171 rev2 CUI & NFO controls, in combination with CMMC level 3 practices.

  • SCF-P was updated to reflect the controls in the Privacy Management Principles (2020.3)

2020.4 (2020-04-03)

​Summary of changes in 2020.4 release:

Added mappings for:

  • CMMC v1.02

  • NIST 800-171 rev2*

 

Removed mappings for old versions:

  • AICPA TSC (SOC2) v2016

  • CIS CSC v6.1

  • CMMC v1.0

  • COSO v2013

  • NIST 800-37 rev1

  • NIST 800-171 rev1

 

Corrections:

  • Removed draft controls from NIST Privacy Framework from

    • IRO-02

    • RSK-06

    • RSK-06.1

 

*notes on NIST 800-171 rev2. Streamlined mapping from rev 1 and removed NIST 800-171 mappings from the following controls:

  • CHG-02.3

  • CRY-04

  • DCH-06

  • IAO-02

  • IRO-05

  • IRO-09

  • IRO-10

  • IRO-11

  • MON-02

  • NET-18

  • PES-05

  • THR-03

  • VPM-05

  • VPM-06.3

2020.3 (2020-03-13)

​Summary of changes in 2020.3 release:

Updated mappings for:

  • Cybersecurity Maturity Model Certification (CMMC) v1.0

    • AST-02

    • AST-02.1

    • BCD-11.1

    • BCD-11.4

    • BCD-11.6

    • BCD-12

    • CFG-02

    • CFG-03

    • CFG-03.2

    • CFG-03.3

    • CHG-02.3

    • CLD-03

    • CPL-02

    • CPL-03

    • CRY-03

    • CRY-05

    • DCH-01

    • DCH-03

    • DCH-09

    • DCH-10

    • DCH-10.2

    • DCH-13.1

    • END-01

    • END-02

    • END-04

    • END-04.1

    • END-04.7

    • GOV-06

    • GOV-07

    • HRS-04

    • HRS-08

    • HRS-09

    • IAC-04

    • IAC-06

    • IAC-09

    • IAC-10

    • IAC-10.1

    • IAC-13

    • IAC-15

    • IAC-20

    • IAC-21.1

    • IAC-21.3

    • IAC-21.4

    • IAC-24

    • IAC-24.1

    • IAO-02

    • IAO-03

    • IAO-05

    • IAO-06

    • IRO-01

    • IRO-02

    • IRO-03

    • IRO-04

    • IRO-04.1

    • IRO-05

    • IRO-06

    • IRO-10

    • IRO-11

    • IRO-12

    • IRO-13

    • IRO-14

    • MNT-02

    • MNT-04

    • MNT-04.1

    • MNT-04.2

    • MON-01.11

    • MON-01.13

    • MON-01.14

    • MON-01.15

    • MON-01.3

    • MON-01.8

    • MON-02

    • MON-02.1

    • MON-02.4

    • MON-03

    • MON-03.1

    • MON-03.4

    • MON-05

    • MON-06

    • MON-07

    • MON-11

    • MON-11.1

    • MON-11.2

    • MON-11.3

    • MON-16

    • NET-03

    • NET-04.10

    • NET-04.11

    • NET-04.2

    • NET-04.5

    • NET-04.7

    • NET-04.8

    • NET-04.9

    • NET-06

    • NET-10

    • NET-14

    • NET-18

    • PES-01

    • PES-02

    • PES-03

    • PES-03.3

    • PES-05

    • PES-06

    • PES-08.2

    • PES-10

    • PES-12

    • PES-12.1

    • PES-12.2

    • PES-14

    • PRM-01

    • PRM-04

    • RSK-01

    • RSK-04

    • RSK-06

    • RSK-10

    • SAT-01

    • SAT-02

    • SAT-03

    • SAT-03.1

    • SAT-03.2

    • SAT-03.3

    • SEA-01

    • TDA-02.1

    • TDA-09.3

    • TDA-12

    • TDA-17.1

    • THR-01

    • THR-03

    • TPM-03

    • VPM-01

    • VPM-06

    • VPM-06.3

    • VPM-06.4

    • VPM-06.5

    • VPM-06.8

    • VPM-06.9

  • NIST 800-171

    • AST-02

    • AST-02.1

    • BCD-11.4

    • CFG-02

    • CFG-03.2

    • CPL-02

    • CRY-05

    • DCH-01

    • DCH-03

    • DCH-09

    • DCH-10

    • DCH-10.2

    • DCH-13.1

    • END-04

    • END-04.1

    • END-04.7

    • HRS-04

    • HRS-08

    • HRS-09

    • IAC-04

    • IAC-06

    • IAC-09

    • IAC-10

    • IAC-10.1

    • IAC-15

    • IAC-20

    • IAC-21.1

    • IAC-21.3

    • IAC-21.4

    • IAC-24

    • IAC-24.1

    • IAO-03

    • IAO-05

    • IRO-02

    • MNT-02

    • MNT-04

    • MNT-04.1

    • MNT-04.2

    • MON-01.8

    • MON-02.1

    • MON-03

    • MON-03.1

    • MON-06

    • MON-07

    • NET-03

    • NET-06

    • NET-14

    • NET-18

    • PES-01

    • PES-02

    • PES-03

    • PES-03.3

    • PES-06

    • PES-08.2

    • SAT-02

    • SAT-03

    • SEA-01

    • VPM-01

    • VPM-06

  • NIST Privacy Framework

    • IAO-03

    • IRO-02

    • PRI-01

    • PRI-01.1

    • PRM-04

  • NIST 800-53 rev4

    • AST-02.8

    • BCD-01

    • BCD-11.4

    • CFG-02.7

    • CPL-03.2

    • DCH-09.3

    • END-13.2

    • END-13.3

    • RSK-09

    • VPM-04.2

  • ISO 27701

    • CFG-02

    • GOV-01

    • OPS-01

    • OPS-01.1

    • OPS-02

Added content:

  • CRY-08.1 (added coverage for a cryptographic key resiliency)

2020.2 (2020-02-20)

​Summary of changes in 2020.2 release:

  • Updated mapping:

    • Cybersecurity Maturity Model Certification (CMMC) v1.0

    • NIST Privacy Framework v1.0

  • Added content:

    • OPS-04 (added coverage for a Security Operations Center per CMMC v1.0 requirements)​​

2020.1 (2020-01-14)

​Summary of changes in 2020. release:

  • Updated mapping for the California Consumer Privacy Act (CCPA) (January 1, 2020)

  • Updated mapping for California SB327 (January 1, 2020)

2019.7 (2019-12-17)

​Summary of changes in 2019.7 release:

  • Added mapping:

    • CERT Resilience Management Model (RMM) v1.2

    • COBIT 2019

    • FedRAMP HIGH baseline & low, moderate, high & LI-SAAS categorizations

    • ISO 22301:2019

    • ISO 27701:2019

    • ITAR (part 120 - partial mapping)

    • NIST 800-53 rev4 HIGH baseline & low, moderate, high & not-otherwise-categorized categorizations.

    • NIST 800-63B (partial mapping)

    • NIST 800-171B (2019 draft)

    • NIST Privacy Framework (2019 draft)

    • US DOD – Cybersecurity Maturity Model Certification (CMMC) v0.6

    • US DOJ /FBI - Criminal Justice Information Services (CJIS) Security Policy 5.8

    • US Nevada SB820

    • US Vermont Act 171 of 2018 (Data Broker Registration Act)

    • Added a new column to identify errata

  • Removed mappings for:

    • COBIT 5

    • CJIS 5.5 

  • Updated mappings for:

    • California Consumer Privacy Act (CCPA)

    • FAR 52.204-21

    • FDA 21 CFR Part 11

2019.6 (2019-09-04)

​Summary of changes in 2019.6 release:

  • Added mapping:

    • Secure Controls Framework (SCF) control questions (ability to ask the control in a question format)

    • SCF’s Security & Privacy Capability Maturity Model (SP-CMM) criteria

  • Added mapping for:

    • Israel’s Cyber Defense Methodology for an Organization (CDMO) v1.0

    • COSO 2017

  • Added additional mappings for NIST 800-53 rev4 & rev5 (initial draft):

    • AC-6 added mapping to IAC-20

  • Added additional mappings for NIST Cybersecurity Framework v1.1:

    • ID.BE-05 added mapping to BCD-02 

    • PR.IP-6 added mapping to DCH-09

    • PR.PT-5 added mapping to SEA-01

    • DE.DP-1 added mapping to HRS-03

    • DE.DP-2 added mapping to CPL-01

    • RC.CO-1 added mapping to IRO-02

    • RC.CO-2 added mapping to IRO-02

    • RC.CO-3 added mapping to IRO-02

    • PR.DS-8 added mapping to MON-01.7 & TDA-14

  • Wordsmithed the following SCF controls:

    • BCD-02

    • BCD-02.1

    • BCD-02.2

2019.5 (2019-07-31)

​Summary of changes in 2019.5 release:
Added mapping for:
IRS 1075
Social Security Administration (SSA) Electronic Information Exchange Requirements
SWIFT Customer Security Controls Framework v2019
Added additional mappings for NIST 800-53 rev4:
SA-1 (TDA-01)
SC-1 (SEA-01)

2019.4 (2019-04-23)

​Summary of changes in 2019.4 release:

  • Updated mapping for Cloud Security Alliance Cloud Controls Matrix (CSA CCM):

    • AST-04 maps to: DSI-02

    • AST-09 maps to: DCS-05

    • AST-16 maps to: MOS-06

    • CFG-03 maps to: IAM-03

    • CHG-04.5 maps to: IAM-06

    • CLD-04 maps to: AIS-01 & IPY-01

    • CLD-05 maps to: IVS-02

    • CLD-06 maps to: IVS-09

    • CLD-07 maps to: IVS-10

    • CPL-02 maps to: GRM-03

    • CRY-03 maps to: IVS-10

    • GOV-01 maps to: GRM-04

    • HRS-05.1 maps to: MOS-06

    • IAC-01 maps to: IAM-01 & IAM-04

    • IAC-02 maps to: IAM-09

    • IAC-03 maps to: IAM-07

    • IAC-03 maps to: IAM-09

    • IAC-04 maps to: DCS-03

    • IAC-05 maps to: IAM-09

    • IAC-07 maps to: IAM-09 & IAM-11

    • IAC-15 maps to: IAM-10

    • IAC-15.3 maps to: IAM-11

    • IAC-15.6 maps to: IAM-11

    • IAC-17 maps to: IAM-10

    • IAC-20.3 maps to: IAM-01 & IAM-13

    • IRO-08 maps to: SEF-04

    • MDM-03 maps to: MOS-11

    • MON-01 maps to: IAM-04

    • NET-01 maps to: IPY-04

    • PRI-06 maps to: IPY-02

    • PRI-06.4 maps to: IPY-04

    • PRI-06.6 maps to: IPY-02

    • PRI-07 maps to: IPY-03

    • PRI-07.1 maps to: IPY-03

    • SEA-01 maps to: AIS-01 & IPY-04

2019.3 (2019-04-04)

​Summary of changes in 2019.3 release:

  • Added mapping for:

    • Alaska Personal Information Protection Act (PIPA)

    • California SB1121 – California Consumer Privacy Act (CCPA) (Nov 2018 amendment version)

    • DCH-14 maps to:

      • EU GDPR Art 46

    • PES-01 maps to:

      • ISO 27002 11.1.4 & 18.1.4

    • PES-04 maps to:

      • ISO 27002 11.2.9

    • PES-12 maps to:

      • ISO 27002 11.1.4

  • Corrected typographic error on NET-04

    • ISO 27002 mapping is 13.1.1, not 13.11

2019.2 (2019-02-11)

​Summary of changes in 2019.2 release:

  • Added mapping for:

    • CPL-03.1 maps to:

      • NIST 800-53 rev4 CA-2(1)

      • NIST 800-171 NFO (CA-2(1))

    • IAO-04 maps to:

      • NIST 800-53 rev4 CA-1 & PM-10

      • NIST 800-171 NFO (CA-1)

    • PES-01 maps to:

      • ISO 27002 11.1.4

2019.1 (2019-01-09)

​Summary of changes in 2019.1 release:

  • Added additional tabs to the spreadsheet:

    • Security & Privacy by Design (S|P) Principles tab

    • SCF Privacy Management Principles tab

    • EU GDPR Compliance Criteria (EGCC) tab

  • Added a column for Minimum Security Requirements (MSR) to make filtering requirements easier.

  • Added mapping for:
    o    NAIC Insurance Data Security Model Law (MDL-668)
    o    Health Industry Cybersecurity Practices (HICP)

  • Updated mappings for NIST CSF:
    o    PR.AC-7 (IAC-04 & IAC-06)
    o    RS.AN-5 (THR-03)

2018.1.2 (2018-11-16)

​Summary of changes in 2018.1.2 release:

  • Added mappings for: 
    o  Argentina Reg 132/2018 (Protection of Personal Data)
    o  Brazil Law No. 13,709 (General Data Protection Law)
    o  California Consumer Protection Act (CCPA)
    o  Motion Picture Association of America (MPAA) Content Security Program - Content Security Best Practices Common Guidelines (v4.0.4)

  • Added function grouping to align with NIST CSF functions

  • Updated SCF-P to align with SCF Privacy Management Principles

  • Updated mappings for SOC 2 (2017) P7.1, P8.1 & CC9.2

2018.1.1 (2018-08-16)

​Summary of changes in 2018.1.1 release:

  • Updated mapping for SOC 2 2016 & 2017

  • Updated mapping for HIPAA

2018.1 (2018-07-18)

​Summary of changes in 2018.1 release:

  • Updated “Personally Identifiable Information (PII)” to “Personal Information (PI)

  • Updated “System Development Life Cycle (SDLC)” to “Secure Development Life Cycle (SDLC)”

  • Updated SOC 2 2017 TSC mappings

  • Updated HIPAA mappings

  • Corrected naming:

    • SEA-04.3: Thread Separation 

    • TPM-08: Managing Changes To Third-Party Services

    • TPM-10: Review of Third-Party Services

2018.1.2-BETA

  • Added mapping for Center for Internet Security (CIS) Critical Security Controls (CSC) version 7.

  • Added mapping for ISO 29100:2011.

  • Correct SCF mapping for CFG-05(d) (split tunneling) to be CFG-03.4.

  • Added EU GDPR Compliance Criteria (EGCC) tab.

2018.1.1-BETA

  • Added column for relative control weighting

  • Added mapping for the German Compliance Controls Catalogue (C5)

  • Added the Business Mergers & Acquisitions (SCF-B) control set.

2018.1.0-BETA

  • Original release (beta version)