Everything you need to know about the Secure Controls Framework® (SCF), the Common Controls Framework™, from getting started and understanding the metaframework to SCF CAP certification, licensing, and implementation.
Foundational questions about what the SCF is, why it exists, and what makes it different from other cybersecurity frameworks.
The SCF stands for the Secure Controls Framework. It is more than just an assortment of cybersecurity and data privacy controls. It is focused on designing, implementing and maintaining secure, compliant, and resilient capabilities to address all applicable statutory, regulatory and contractual requirements that an organization faces.
Our belief is that if you scope your requirements with security in mind, compliance will generally be a natural byproduct of those secure and resilient actions. We want organizations to be secure, compliant and resilient, since it benefits all of modern society.
The use of Common Controls Framework™ is trademarked and the SCF has exclusive rights to use the term. The SCF is the Common Controls Framework™ (CCF) because in addition to providing a common set of controls that organizations use to satisfy multiple compliance obligations simultaneously through a single, unified control set, the SCF owns the domains commoncontrolsframework.com and common-controls-framework.com.
A "metaframework" is a framework of frameworks. That is exactly what the SCF is. It is a framework made up of over 200 cybersecurity and data privacy laws, regulations and frameworks. Rather than implementing each framework separately, the SCF provides a single comprehensive control set that maps to all of them simultaneously.
NIST CSF, ISO 27001, and CIS Critical Security Controls are individual cybersecurity frameworks. The SCF is a metaframework that encompasses all of them, and over 200 others. When you implement the SCF, you are implementing the common controls that satisfy NIST, ISO, CIS, and many other frameworks simultaneously.
This eliminates the need to maintain separate control sets for each framework, regulation, or law your organization must comply with. The SCF’s Set Theory Relationship Mapping (STRM) methodology ensures these mappings are mathematically rigorous, not subjective crosswalks.
The general cadence for updates is one (1) update per quarter. There may be situations where out-of-cycle updates are released, but the goal is to publish updates on a quarterly basis. The SCF is a Living Control Set, meaning it is continuously maintained and updated to reflect changes in the regulatory landscape.
Yes. The SCF has had coverage for AI since 2024. The Artificial Intelligence & Autonomous Technologies (AAT) domain is one of thirty-three domains in the SCF. That domain has coverage for these AI-specific requirements:
Practical questions about downloading, implementing, and operationalizing the SCF in your organization.
The best place to begin is the Start Here page. It provides a guided introduction to the Secure Controls Framework, what it is, how it works, and how to begin using it in your organization. The page walks you through the SCF's structure, its 33 domains, the metaframework concept, and links to the key resources you'll need.
Start by reading the "What Is The SCF" page, which includes a Start Here Guide for recommended practices.
To build an SCF-based cybersecurity program, begin with the Security, Compliance & Resilience Management System (SCRMS) and the SCRMS Prioritized Implementation Guide (SCRMS-PIG). These provide a "paint by numbers" approach to creating a tailored, prioritized set of controls.
Once ready to start working with the SCF, you can either:
The Security, Compliance & Resilience Management System (SCRMS) is the SCF’s implementation methodology. It provides the structured approach for designing, building, and maintaining a cybersecurity program using the SCF. Think of it as the "how to" guide for turning SCF controls into an operational program.
The SCRMS covers the full lifecycle: scoping, tailoring controls, implementing, operating, and continuously improving your program across the People, Process, Technology, Data, and Facilities (PPTDF) dimensions.
The SCF controls are written to be flexible for organizations of any size or industry. The term "mechanism" can mean a manual process, technology solution, or anything in between. If you prefer different wording, you can replace "mechanism" with "solution," "processes," or another term that fits your organization’s context.
The key point is that a mechanism demonstrates that the control requirement is being addressed, whether through a documented procedure, an automated tool, or a combination of both.
If you need assistance with tailoring or operationalizing the SCF, there are several options:
Questions about the SCF’s control structure, domain organization, risk model, maturity model, and how controls work in practice.
The SCF contains over 1,400 controls across 33 domains. These controls are mapped to over 200 cybersecurity and data privacy laws, regulations, and frameworks. The SCF is a comprehensive catalog. You are not expected to implement all 1,400+ controls. The tailoring process helps you select only the controls applicable to your organization.
The SCF is organized into 33 control domains that cover every aspect of cybersecurity and data protection. These range from Governance (GOV) and Risk Management (RSK) to specialized domains like Artificial Intelligence & Autonomous Technologies (AAT), Supply Chain Risk Management (SCR), and Web Security (WEB). You can explore the full list on the SCF Domains & Principles page.
Assessment Objectives (AOs) are the specific, testable criteria used to evaluate whether a control is appropriately designed, properly implemented, and producing the desired security outcome. Each SCF control has one or more AOs that assessors use during SCF CAP conformity assessments.
AOs are defined in the Cybersecurity & Data Protection Assessment Standards (CDPAS), which is free to download.
The Security, Compliance & Resilience Risk Management Model (SCR-RMM) is the SCF’s free, integrated risk model. It provides a structured approach to identifying, analyzing, and managing cybersecurity and data privacy risks at the control level. Rather than treating risk management as a separate exercise, the SCR-RMM embeds risk directly into the SCF’s control structure.
The SCR-RMM maps specific risks and threats to each SCF control, giving organizations a clear view of what could go wrong if a control is absent or inadequate. This enables risk-informed decision-making when tailoring and prioritizing controls. You can see exactly which risks you are accepting, mitigating, or transferring for every control in your program.
The SCR-RMM is available as a free download from the SCR-RMM page.
The Security, Compliance & Resilience Capability Maturity Model (SCR-CMM) is the SCF’s free maturity model that allows organizations to measure and benchmark the maturity of their cybersecurity and data privacy practices at the control level. It provides quantifiable maturity criteria for each SCF control across defined maturity levels.
The SCR-CMM helps organizations answer the question "how good are we?" by providing a consistent scale for evaluating People, Processes, and Technology (PPT) across every control. This supports capability gap analysis, investment prioritization, and board-level reporting on cybersecurity program maturity over time.
The SCR-CMM is available as a free download from the SCR-CMM page.
Cybersecurity materiality is the concept of determining which cybersecurity and data privacy risks are significant enough to warrant attention, investment, and disclosure. Drawing from the financial auditing concept of materiality, it applies the same principle to cybersecurity: not every risk is equal, and organizations must determine which risks, if left unaddressed, could materially impact the business.
The SCF addresses cybersecurity materiality as a GRC Fundamentals topic. In practice, this means defining thresholds for what constitutes a "material" cybersecurity risk or deficiency in your organization, which informs control scoping, investment decisions, board reporting, and regulatory disclosure obligations (e.g., SEC cybersecurity incident disclosure rules).
Materiality is particularly relevant for organizations subject to regulatory disclosure requirements, public companies, and any organization communicating cybersecurity posture to stakeholders, investors, or regulators.
How the SCF maps to 200+ laws, regulations, and frameworks using rigorous Set Theory Relationship Mapping.
The SCF uses Set Theory Relationship Mapping (STRM), a mathematically rigorous methodology based on NIST IR 8477, to map controls to external frameworks, laws, and regulations. Unlike subjective crosswalks, STRM uses set theory to define the precise relationship between SCF controls and external requirements, producing mappings that are accurate, consistent, and defensible.
Set Theory Relationship Mapping (STRM) is the gold standard for crosswalk mapping between cybersecurity and data privacy requirements. It replaces subjective "best guess" crosswalks with a mathematical model that precisely defines the relationship between controls and external requirements.
The SCF is a recognized NIST OLIR Program participant with accepted mappings between the SCF and NIST frameworks.
The SCF maps to over 200 laws, regulations, and frameworks including NIST CSF, NIST 800-53, NIST 800-171, ISO 27001/27002, CIS Controls, CMMC, HIPAA, GDPR, PCI DSS, SOC 2 TSC, CCPA/CPRA, NIS2, DORA, FedRAMP, SOX, GLBA, and many more. The complete list is available on the Included Laws, Regulations & Frameworks (LRF) page.
Questions about why the SCF is free, what the Creative Commons license allows, and commercial licensing options.
The SCF is free to help fix the broken nature of cybersecurity and data protection practices in many organizations. The quality of the SCF could easily justify a costly subscription service, but that would exclude most organizations and defeat the broader goal of improving cybersecurity and privacy practices on a macro scale.
The SCF’s contributors are volunteers, and the project relies on generous sponsors to maintain the framework.
The SCF is copyrighted material that uses the Creative Commons licensing model to keep it free for businesses to use. The Terms & Conditions page details the open license granted for organizational use. There are options for commercial (paid) licenses for companies that want to create derivative content based on the SCF.
Questions about SCF CAP certification for organizations, including assessment methodology, 3PAOs, and The CyberAB.
The SCF Conformity Assessment Program (SCF CAP) is the organization-level certification program that allows organizations to demonstrate conformity with SCF-based cybersecurity and data protection requirements. Assessments are conducted by accredited Third-Party Assessment Organizations (3PAOs) using the examine, interview, and test (EIT) methodology.
The CyberAB is the official Accreditation Body (AB) for the SCF Conformity Assessment Program (SCF CAP). The CyberAB accredits 3PAOs, maintains the SCF Marketplace, and oversees the accreditation standards that ensure assessment quality and independence.
SCF Assessment Guides are pre-built, ready-to-use assessment packages that define the specific set of controls an organization must implement and be assessed against for a particular compliance objective (e.g., NIST CSF 2.0, CMMC Level 1, HIPAA). Each guide maps to the relevant SCF controls and Assessment Objectives for that certification track.
Questions about the three SAICO individual certification tracks and how to get certified.
SAICO is the SCF Assessor and Instructor Certification Organization. SAICO provides three Computer-Based Training (CBT) certification programs for individuals: SCF Practitioner (foundation), SCF Architect (design & implementation), and SCF Assessor (assessment & audit).
The three SAICO certification tracks are:
All three are delivered via self-paced CBT through the SCF Training Platform.
Questions about the SCF partner ecosystem, marketplace participants, and how to find SCF expertise.
The SCF Marketplace connects organizations with SCF expertise. It includes six categories of ecosystem participants: 3PAOs (assessment organizations), ASPs (solution providers), RPOs (consulting providers), ACIs (control integrators), LTPs (training providers), and LCPs (content providers). The authoritative listing is maintained by The CyberAB.
SCF Connect is the SCF-specific GRC platform built from the ground up to operationalize the Secure Controls Framework. It is the official Single Source of Truth (SSOT) for SCF CAP third-party conformity assessments. SCF Connect is priced at $200/month and provides an intuitive SaaS platform for implementing, managing, and reporting on SCF-based cybersecurity programs.
Questions about the SCF download formats, NIST OSCAL support, and technical integration options.
The SCF is available for free download in multiple formats:
NIST OSCAL (Open Security Controls Assessment Language) is a standardized, machine-readable format for representing cybersecurity controls, assessment results, and system security plans. The SCF supports OSCAL JSON to enable automated ingestion by GRC platforms, security tooling, and compliance automation systems, eliminating manual data entry and enabling continuous compliance monitoring.
The SCF provides a comprehensive library of free content beyond the control catalog:
%20(white).png)
.png)